Re: Review Request 35073: Kerberos: Force principal names to resolve to lowercase lower usernames in auth-to-local default rules

Emil Anca Tue, 09 Jun 2015 02:56:35 -0700

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/35073/
-----------------------------------------------------------


(Updated June 9, 2015, 9:55 a.m.)


Review request for Ambari, Robert Levas, Tom Beerbower, and Vitalyi Brodetskyi.


Changes
-------

Addressed reviewer suggestions.


Bugs: AMBARI-11687
    https://issues.apache.org/jira/browse/AMBARI-11687


Repository: ambari


Description
-------

Force principals names to resolve to lowercase local usernames in auth-to-local 
rules. This will help when the KDC is an MIT KDC or an  Active Directory and 
user accounts have uppercase letters that need to be converted to lowercase 
letters.  For example:  {{USER1234@REALM}} should resolve to {{user1234}}.

*Solution*
# Provide a kerberos-env configuration to optionally create case-insensitive 
rules
# If creating case-insensitive rules, _generic_ auth-to-local rules should 
contain the {{L}} option, as in:

~~~
RULE:[1:$1@$0](.*@REALM)s/@.*///L
~~~


Diffs (updated)
-----

  
ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java
 89d0b55 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
 8a5d4fd 
  
ambari-server/src/main/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml
 6d720a0 
  
ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java
 d1a2bd1 
  
ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
 f8ba840 
  ambari-web/app/data/HDP2/site_properties.js 484ad38 

Diff: https://reviews.apache.org/r/35073/diff/


Testing (updated)
-------

* mvn clean test -pl AuthToLocalBuilderTest KerberosHelperImpl locally
* Jenking tests in progress
* Kerbernized/dekerbenized prop with / without prop while monitoring core-site 
auth to local rules
* Added service on kerberized cluster
* Ran
 
   [root@c6401 ~]# hadoop org.apache.hadoop.security.HadoopKerberosName 
[email protected]
Name: [email protected] to eanca

to test the mapping of the new generic Rule.


Thanks,

Emil Anca

Re: Review Request 35073: Kerberos: Force principal names to resolve to lowercase lower usernames in auth-to-local default rules

Reply via email to