[ 
https://issues.apache.org/jira/browse/HADOOP-9325?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13587875#comment-13587875
 ] 

Kai Zheng commented on HADOOP-9325:
-----------------------------------

Hi Alejandro,

Thanks for your suggestion. I did some investigation according to your hint, 
and found:
1. In org.apache.hadoop.http.HttpServer there seems to be two ways to specify 
the configurations needed by KerberosAuthenticationHandler
  1) via HttpServer->initSpnego(Configuration conf, String usernameConfKey, 
String keytabConfKey);
  2) via configuring an AuthenticationFilterInitializer
Perhaps method 2) is what you meant, right. By adding properties with prefix of 
hadoop.http.authentication, FilterInitializer can pass those values to 
AuthenticationFilter and then to the Kerberos handler.
But if no FilterInitializer is specified, then method 1) will be dependent on, 
right. However, in this way 
only kerberos.principal and kerberos.keytab can be configured, not valid for 
the mentioned kerberos.name.rules.

So in this JIRA, in my view, we might have two things to fix:
1) Adding hadoop.http.authentication.kerberos.names.rules in the doc as you 
mentioned;
2) Allowing HttpServer->initSpnego(...) to specify the name.rules.

BTW, I reported this issue because I don't know how to specify the 
kerberos.names.rules in Oozie. In fact it's already supported and possible to 
do it using method similar with 1) method for HttpServer in Hadoop. (Done in 
org.apache.oozie.servlet.AuthFilter).

Would you check again with this, and with your confirmation, I will go that way 
and provide the fix.

Thanks
Kai
                
> KerberosAuthenticationHandler and AuthenticationFilter should be able to 
> reference Hadoop configurations
> --------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-9325
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9325
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Kai Zheng
>
> In KerberosAuthenticationHandler SPNEGO activities, KerberosName is used to 
> get short name for client principal, which needs in some Kerberos 
> authentication situations to reference translation rules defined in Hadoop 
> configuration file like core-site.xml
> as follows:
>   <property>
>     <name>hadoop.security.auth_to_local</name>
>     <value>...</value>
>   </property>
> Note, this is an issue only if default rule can't meet the requirement and 
> custom rules need to be defined.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to