[ https://issues.apache.org/jira/browse/HADOOP-9325?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13587875#comment-13587875 ]
Kai Zheng commented on HADOOP-9325: ----------------------------------- Hi Alejandro, Thanks for your suggestion. I did some investigation according to your hint, and found: 1. In org.apache.hadoop.http.HttpServer there seems to be two ways to specify the configurations needed by KerberosAuthenticationHandler 1) via HttpServer->initSpnego(Configuration conf, String usernameConfKey, String keytabConfKey); 2) via configuring an AuthenticationFilterInitializer Perhaps method 2) is what you meant, right. By adding properties with prefix of hadoop.http.authentication, FilterInitializer can pass those values to AuthenticationFilter and then to the Kerberos handler. But if no FilterInitializer is specified, then method 1) will be dependent on, right. However, in this way only kerberos.principal and kerberos.keytab can be configured, not valid for the mentioned kerberos.name.rules. So in this JIRA, in my view, we might have two things to fix: 1) Adding hadoop.http.authentication.kerberos.names.rules in the doc as you mentioned; 2) Allowing HttpServer->initSpnego(...) to specify the name.rules. BTW, I reported this issue because I don't know how to specify the kerberos.names.rules in Oozie. In fact it's already supported and possible to do it using method similar with 1) method for HttpServer in Hadoop. (Done in org.apache.oozie.servlet.AuthFilter). Would you check again with this, and with your confirmation, I will go that way and provide the fix. Thanks Kai > KerberosAuthenticationHandler and AuthenticationFilter should be able to > reference Hadoop configurations > -------------------------------------------------------------------------------------------------------- > > Key: HADOOP-9325 > URL: https://issues.apache.org/jira/browse/HADOOP-9325 > Project: Hadoop Common > Issue Type: Improvement > Components: security > Reporter: Kai Zheng > > In KerberosAuthenticationHandler SPNEGO activities, KerberosName is used to > get short name for client principal, which needs in some Kerberos > authentication situations to reference translation rules defined in Hadoop > configuration file like core-site.xml > as follows: > <property> > <name>hadoop.security.auth_to_local</name> > <value>...</value> > </property> > Note, this is an issue only if default rule can't meet the requirement and > custom rules need to be defined. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira