[
https://issues.apache.org/jira/browse/HADOOP-15996?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16727257#comment-16727257
]
Bolke de Bruin commented on HADOOP-15996:
-----------------------------------------
[~eyang] So I did investigate the initSpnego approach and some backtracking in
the code. From what I can see is that 'AUTH_TO_LOCAL' rules are only
initialized when UserGroupInformation.setConfiguration is called. In the name
node initialization the following happens in 'initalize':
{code:java}
UserGroupInformation.setConfiguration(conf);
server.initSpnego(conf, hostName, usernameConfKey, keytabConfKey);
{code}
In case you find an orphan (couldn't find it yet) `initSpnego` (i.e. without
UserGroupInformation) `auth_to_local` rules will also not be set (=null). As
the rule mechanism only kicks in when rules are evaluated and the mechanism
does get set when the rules are being set I have trouble understanding your
stack trace.
What I will do is attach a patch that does the mapping from `
hadoop.security.auth_to_local.mechanism` as a try out, but I really like to
understand why that would solve the whole issue.
> Plugin interface to support more complex usernames in Hadoop
> ------------------------------------------------------------
>
> Key: HADOOP-15996
> URL: https://issues.apache.org/jira/browse/HADOOP-15996
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
> Reporter: Eric Yang
> Assignee: Bolke de Bruin
> Priority: Major
> Attachments: 0001-HADOOP-15996-Make-auth-to-local-configurable.patch,
> 0001-Simple-trial-of-using-krb5.conf-for-auth_to_local-ru.patch,
> 0002-HADOOP-15996-Make-auth-to-local-configurable.patch
>
>
> Hadoop does not allow support of @ character in username in recent security
> mailing list vote to revert HADOOP-12751. Hadoop auth_to_local rule must
> match to authorize user to login to Hadoop cluster. This design does not
> work well in multi-realm environment where identical username between two
> realms do not map to the same user. There is also possibility that lossy
> regex can incorrectly map users. In the interest of supporting multi-realms,
> it maybe preferred to pass principal name without rewrite to uniquely
> distinguish users. This jira is to revisit if Hadoop can support full
> principal names without rewrite and provide a plugin to override Hadoop's
> default implementation of auth_to_local for multi-realm use case.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
