hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron T. Myers (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-11683) Need a plugin API to translate long principal names to local OS user names arbitrarily
Date Thu, 21 Jan 2016 03:03:40 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-11683?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15109956#comment-15109956

Aaron T. Myers commented on HADOOP-11683:

Hey Roger, thanks a lot for taking up this effort. I took a quick look at the patch and it
largely looks good to me. I haven't yet done a detailed code review, but I think the direction
seems generally appropriate. One small thing I think the patch could definitely benefit from
would be breaking out the documentation/example you have in there out of core-default.xml,
and into some actual documentation that will end up published on the website. Putting lengthy
docs explanations in an XML comment is not typically the way we document things.

I can take a harder look at this in the coming days, but I think making that change would
be a good start.

To answer this question:

bq. Just to confirm, since KerberosName and HadoopKerberosName are intended for HDFS and MapReduce
projects only (as defined in LimitedPrivate), do we have the option to refactor these classes
(and maybe provide an interface similar to GroupMappingServiceProvider)?

Yes, that should be fine within our compatibility guidelines. Just be sure not to break HDFS/MR.

[~aw] - do you have any more detailed comments on the latest patch?

> Need a plugin API to translate long principal names to local OS user names arbitrarily
> --------------------------------------------------------------------------------------
>                 Key: HADOOP-11683
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11683
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.6.0
>            Reporter: Sunny Cheung
>            Assignee: roger mak
>         Attachments: HADOOP-11683.001.patch, HADOOP-11683.002.patch, HADOOP-11683.003.patch
> We need a plugin API to translate long principal names (e.g. john.doe@EXAMPLE.COM) to
local OS user names (e.g. user123456) arbitrarily.
> For some organizations the name translation is straightforward (e.g. john.doe@EXAMPLE.COM
to john_doe), and the hadoop.security.auth_to_local configurable mapping is sufficient to
resolve this (see HADOOP-6526). However, in some other cases the name translation is arbitrary
and cannot be generalized by a set of translation rules easily.

This message was sent by Atlassian JIRA

View raw message