[ https://issues.apache.org/jira/browse/HADOOP-16214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16832891#comment-16832891 ]
Eric Yang commented on HADOOP-16214: ------------------------------------ [~daryn] {quote}If I were to use RBAC to protect a cluster I'd want to handle both service and user accounts. I would need to write rules to allow only the users within certain roles, all else are rejected. Hence why the MIT best-effort else allow all non-matching principals through would be a complete non-starter.{quote} Role inside Kerberos principal is only showing the identity of the caller, server side must perform the grant of authorization in order for system to remain secure. Please do not conflating authentication with authorization. Your proposal of using auth_to_local as firewall rule is trying to block anonymous from gain access to the system during authentication phase. Where the MIT rule mechanism will defer authorization to either proxy ACL or ranger plugin because non-matching principal in auth_to_local is still a Kerberos authenticated client. This may sound like hair splitting, but please allow other community members to have a chance to develop more fine grained authorization scheme than auth_to_local firewall rules. > Kerberos name implementation in Hadoop does not accept principals with more > than two components > ----------------------------------------------------------------------------------------------- > > Key: HADOOP-16214 > URL: https://issues.apache.org/jira/browse/HADOOP-16214 > Project: Hadoop Common > Issue Type: Bug > Components: auth > Reporter: Issac Buenrostro > Priority: Major > Attachments: Add-service-freeipa.png, HADOOP-16214.001.patch, > HADOOP-16214.002.patch, HADOOP-16214.003.patch, HADOOP-16214.004.patch, > HADOOP-16214.005.patch, HADOOP-16214.006.patch, HADOOP-16214.007.patch, > HADOOP-16214.008.patch, HADOOP-16214.009.patch, HADOOP-16214.010.patch, > HADOOP-16214.011.patch, HADOOP-16214.012.patch, HADOOP-16214.013.patch > > > org.apache.hadoop.security.authentication.util.KerberosName is in charge of > converting a Kerberos principal to a user name in Hadoop for all of the > services requiring authentication. > Although the Kerberos spec > ([https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html]) > allows for an arbitrary number of components in the principal, the Hadoop > implementation will throw a "Malformed Kerberos name:" error if the principal > has more than two components (because the regex can only read serviceName and > hostName). -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org