[
https://issues.apache.org/jira/browse/HADOOP-12751?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16703599#comment-16703599
]
Hudson commented on HADOOP-12751:
---------------------------------
SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #15529 (See
[https://builds.apache.org/job/Hadoop-trunk-Commit/15529/])
HADOOP-15959. Revert "HADOOP-12751. While using kerberos Hadoop (stevel: rev
d0edd37269bb40290b409d583bcf3b70897c13e0)
* (edit)
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestUserGroupInformation.java
* (edit)
hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.java
* (edit)
hadoop-common-project/hadoop-auth/src/test/java/org/apache/hadoop/security/authentication/util/TestKerberosName.java
* (edit)
hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java
* (edit) hadoop-common-project/hadoop-common/src/site/markdown/SecureMode.md
* (edit)
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/KDiag.java
* (edit)
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestKDiag.java
> While using kerberos Hadoop incorrectly assumes names with '@' to be
> non-simple
> -------------------------------------------------------------------------------
>
> Key: HADOOP-12751
> URL: https://issues.apache.org/jira/browse/HADOOP-12751
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.7.2
> Environment: kerberos
> Reporter: Bolke de Bruin
> Assignee: Bolke de Bruin
> Priority: Critical
> Labels: kerberos
> Fix For: 2.8.0, 3.0.0-alpha1, 2.7.6
>
> Attachments: 0001-HADOOP-12751-leave-user-validation-to-os.patch,
> 0001-Remove-check-for-user-name-characters-and.patch,
> 0002-HADOOP-12751-leave-user-validation-to-os.patch,
> 0003-HADOOP-12751-leave-user-validation-to-os.patch,
> 0004-HADOOP-12751-leave-user-validation-to-os.patch,
> 0005-HADOOP-12751-leave-user-validation-to-os.patch,
> 0006-HADOOP-12751-leave-user-validation-to-os.patch,
> 0007-HADOOP-12751-leave-user-validation-to-os.patch,
> 0007-HADOOP-12751-leave-user-validation-to-os.patch,
> 0008-HADOOP-12751-leave-user-validation-to-os.patch,
> 0008-HADOOP-12751-leave-user-validation-to-os.patch, HADOOP-12751-009.patch,
> HADOOP-12751-branch-2.7.009.patch
>
>
> In the scenario of a trust between two directories, eg. FreeIPA (ipa.local)
> and Active Directory (ad.local) users can be made available on the OS level
> by something like sssd. The trusted users will be of the form 'user@ad.local'
> while other users are will not contain the domain. Executing 'id -Gn
> user@ad.local' will successfully return the groups the user belongs to if
> configured correctly.
> However, it is assumed by Hadoop that users of the format with '@' cannot be
> correct. This code is in KerberosName.java and seems to be a validator if the
> 'auth_to_local' rules are applied correctly.
> In my opinion this should be removed or changed to a different kind of check
> or maybe logged as a warning while still proceeding, as the current behavior
> limits integration possibilities with other standard tools.
> Workaround are difficult to apply (by having a rewrite by system tools to for
> example user_ad_local) due to down stream consequences.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
