[ https://issues.apache.org/jira/browse/HADOOP-15996?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16725480#comment-16725480 ]
Eric Yang edited comment on HADOOP-15996 at 12/20/18 1:08 AM: -------------------------------------------------------------- The failed test doesn't seem like related to 001 patch. The feature works same as HADOOP-12751. I will let others comment if ACL check needs to be applied as part of this JIRA to block unauthorized kerberos principals. I don't mind to commit the current form (with checkstyle fix), if this is holding up Hadoop 3.2.0 release. was (Author: eyang): The failed test doesn't seem like related to 001 patch. The feature works same as HADOOP-12751. I will let others comment if ACL check needs to be applied as part of this JIRA to block unauthorized kerberos principals. > Plugin interface to support more complex usernames in Hadoop > ------------------------------------------------------------ > > Key: HADOOP-15996 > URL: https://issues.apache.org/jira/browse/HADOOP-15996 > Project: Hadoop Common > Issue Type: New Feature > Components: security > Reporter: Eric Yang > Assignee: Bolke de Bruin > Priority: Major > Attachments: 0001-HADOOP-15996-Make-auth-to-local-configurable.patch, > 0001-Simple-trial-of-using-krb5.conf-for-auth_to_local-ru.patch > > > Hadoop does not allow support of @ character in username in recent security > mailing list vote to revert HADOOP-12751. Hadoop auth_to_local rule must > match to authorize user to login to Hadoop cluster. This design does not > work well in multi-realm environment where identical username between two > realms do not map to the same user. There is also possibility that lossy > regex can incorrectly map users. In the interest of supporting multi-realms, > it maybe preferred to pass principal name without rewrite to uniquely > distinguish users. This jira is to revisit if Hadoop can support full > principal names without rewrite and provide a plugin to override Hadoop's > default implementation of auth_to_local for multi-realm use case. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org