[
https://issues.apache.org/jira/browse/HADOOP-16214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16832891#comment-16832891
]
Eric Yang commented on HADOOP-16214:
------------------------------------
[~daryn] {quote}If I were to use RBAC to protect a cluster I'd want to handle
both service and user accounts. I would need to write rules to allow only the
users within certain roles, all else are rejected. Hence why the MIT
best-effort else allow all non-matching principals through would be a complete
non-starter.{quote}
Role inside Kerberos principal is only showing the identity of the caller,
server side must perform the grant of authorization in order for system to
remain secure. Please do not conflating authentication with authorization.
Your proposal of using auth_to_local as firewall rule is trying to block
anonymous from gain access to the system during authentication phase. Where
the MIT rule mechanism will defer authorization to either proxy ACL or ranger
plugin because non-matching principal in auth_to_local is still a Kerberos
authenticated client. This may sound like hair splitting, but please allow
other community members to have a chance to develop more fine grained
authorization scheme than auth_to_local firewall rules.
> Kerberos name implementation in Hadoop does not accept principals with more
> than two components
> -----------------------------------------------------------------------------------------------
>
> Key: HADOOP-16214
> URL: https://issues.apache.org/jira/browse/HADOOP-16214
> Project: Hadoop Common
> Issue Type: Bug
> Components: auth
> Reporter: Issac Buenrostro
> Priority: Major
> Attachments: Add-service-freeipa.png, HADOOP-16214.001.patch,
> HADOOP-16214.002.patch, HADOOP-16214.003.patch, HADOOP-16214.004.patch,
> HADOOP-16214.005.patch, HADOOP-16214.006.patch, HADOOP-16214.007.patch,
> HADOOP-16214.008.patch, HADOOP-16214.009.patch, HADOOP-16214.010.patch,
> HADOOP-16214.011.patch, HADOOP-16214.012.patch, HADOOP-16214.013.patch
>
>
> org.apache.hadoop.security.authentication.util.KerberosName is in charge of
> converting a Kerberos principal to a user name in Hadoop for all of the
> services requiring authentication.
> Although the Kerberos spec
> ([https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html])
> allows for an arbitrary number of components in the principal, the Hadoop
> implementation will throw a "Malformed Kerberos name:" error if the principal
> has more than two components (because the regex can only read serviceName and
> hostName).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
