hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kai Zheng (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-11683) Need a plugin API to translate long principal names to local OS user names arbitrarily
Date Mon, 25 Jan 2016 12:14:40 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-11683?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15115110#comment-15115110
] 

Kai Zheng commented on HADOOP-11683:
------------------------------------

bq. I think it is important to recognize that principal -> username conversion happens
all over the stack.
Agree, this is similar to the user groups mapping behaviour. The configurations and referenced
providers introduced here should be the same on all the nodes.
bq. if a non-Java AM decides to provide user auth (think Slider), it doesn't appear to have
a way to access this functionality without using JNI.
I'm not sure I got this, but with the current codes, non-Java AMs are already needing to access
{{HadoopKerberosName}} or use the current mapping method via the configuration {{auth_to_local}}
I guess? This work keeps the behaviour and introduced pluggable provider mechanism but hasn't
provided any plugin provider yet.


> Need a plugin API to translate long principal names to local OS user names arbitrarily
> --------------------------------------------------------------------------------------
>
>                 Key: HADOOP-11683
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11683
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.6.0
>            Reporter: Sunny Cheung
>            Assignee: roger mak
>         Attachments: HADOOP-11683.001.patch, HADOOP-11683.002.patch, HADOOP-11683.003.patch
>
>
> We need a plugin API to translate long principal names (e.g. john.doe@EXAMPLE.COM) to
local OS user names (e.g. user123456) arbitrarily.
> For some organizations the name translation is straightforward (e.g. john.doe@EXAMPLE.COM
to john_doe), and the hadoop.security.auth_to_local configurable mapping is sufficient to
resolve this (see HADOOP-6526). However, in some other cases the name translation is arbitrary
and cannot be generalized by a set of translation rules easily.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message