[
https://issues.apache.org/jira/browse/HADOOP-15996?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16729814#comment-16729814
]
Steve Loughran commented on HADOOP-15996:
-----------------------------------------
I am out my depth here so don't expect approval from me. Ed Yang has taken the
lead.
* Why "compat" as the name? (a) we don't need something quite so terse and (b)
assuming its short for "compatible", I'm left looking at it wondering "how is
this different from "legacy"? If it's about MIT, how about "mit"/"MIT"?
* If someone is running a cluster and hasn't set a policy, is every single one
of their apps going to be adding a log message telling them off? And how many
times per app? This may seem minor, but every time something which is not
actually a problem gets turned into a log@warn, somebody sees it and worries.
test: what happens a wrong value is set as the rule mechanism?
TestUserGroupInformation
* keep with the static imports of specific fields, given someone has started
that way
* \{{testConstructorFailures}}. If the exception doesn't match, rethrow the
full exception, possibly as the cause of a raised assertion. Preserves the
stack trace.
> Plugin interface to support more complex usernames in Hadoop
> ------------------------------------------------------------
>
> Key: HADOOP-15996
> URL: https://issues.apache.org/jira/browse/HADOOP-15996
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
> Reporter: Eric Yang
> Assignee: Bolke de Bruin
> Priority: Major
> Attachments: 0001-HADOOP-15996-Make-auth-to-local-configurable.patch,
> 0001-Make-allowing-or-configurable.patch,
> 0001-Simple-trial-of-using-krb5.conf-for-auth_to_local-ru.patch,
> 0002-HADOOP-15996-Make-auth-to-local-configurable.patch,
> 0003-HADOOP-15996-Make-auth-to-local-configurable.patch,
> 0004-HADOOP-15996-Make-auth-to-local-configurable.patch,
> 0005-HADOOP-15996-Make-auth-to-local-configurable.patch,
> HADOOP-15996.0005.patch, HADOOP-15996.0006.patch
>
>
> Hadoop does not allow support of @ character in username in recent security
> mailing list vote to revert HADOOP-12751. Hadoop auth_to_local rule must
> match to authorize user to login to Hadoop cluster. This design does not
> work well in multi-realm environment where identical username between two
> realms do not map to the same user. There is also possibility that lossy
> regex can incorrectly map users. In the interest of supporting multi-realms,
> it maybe preferred to pass principal name without rewrite to uniquely
> distinguish users. This jira is to revisit if Hadoop can support full
> principal names without rewrite and provide a plugin to override Hadoop's
> default implementation of auth_to_local for multi-realm use case.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
