[ https://issues.apache.org/jira/browse/HADOOP-16214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16837418#comment-16837418 ]
Daryn Sharp commented on HADOOP-16214: -------------------------------------- {quote}This is only benefits his own proposal of using auth_to_local as firewall rules to prevent unauthorized users from getting into secure cluster. This is not retaining backward compatibility, but benefit for his own agenda. {quote} {quote}Please do not conflating authentication with authorization. Your proposal of using auth_to_local as firewall rule is trying to block anonymous from gain access to the system during authentication phase. {quote} The auth_to_local rules are and always have served as a whitelist for authorization. Rejecting your proposal to change out of scope semantics is neither a proposal nor agenda. As an example of practicality to others, would an admin prefer: # Define a few auth_to_local rules to whitelist principals (in this case to enforce principals containing the authorized roles). One change protects all services. # Define N-many ACLs for _every_ current/future service – assuming the service even has ACL support. Remain hyper-vigilant to detect and define ACLs for every current/future service & protocol. The default behavior is and must remain #1. An admin may already select #2 via an explicit wildcard rule if they wish, and bear the brunt of defining and auditing all their services. Debating a change to these semantics is out of scope for this jira. > Kerberos name implementation in Hadoop does not accept principals with more > than two components > ----------------------------------------------------------------------------------------------- > > Key: HADOOP-16214 > URL: https://issues.apache.org/jira/browse/HADOOP-16214 > Project: Hadoop Common > Issue Type: Bug > Components: auth > Reporter: Issac Buenrostro > Priority: Major > Attachments: Add-service-freeipa.png, HADOOP-16214.001.patch, > HADOOP-16214.002.patch, HADOOP-16214.003.patch, HADOOP-16214.004.patch, > HADOOP-16214.005.patch, HADOOP-16214.006.patch, HADOOP-16214.007.patch, > HADOOP-16214.008.patch, HADOOP-16214.009.patch, HADOOP-16214.010.patch, > HADOOP-16214.011.patch, HADOOP-16214.012.patch, HADOOP-16214.013.patch > > > org.apache.hadoop.security.authentication.util.KerberosName is in charge of > converting a Kerberos principal to a user name in Hadoop for all of the > services requiring authentication. > Although the Kerberos spec > ([https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html]) > allows for an arbitrary number of components in the principal, the Hadoop > implementation will throw a "Malformed Kerberos name:" error if the principal > has more than two components (because the regex can only read serviceName and > hostName). -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org