hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Erik Krogen (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (HADOOP-16214) Kerberos name implementation in Hadoop does not accept principals with more than two components
Date Fri, 19 Apr 2019 20:52:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-16214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16822180#comment-16822180
] 

Erik Krogen edited comment on HADOOP-16214 at 4/19/19 8:51 PM:
---------------------------------------------------------------

To give more context on our use case, we have the need for more fine-grained identity management
than a simple username. For example, for the purposes of ensuring regulatory compliance, we
have the need for the behavior of systems to vary based not just on the simple account name,
but also on the specific use case. This information, as it is closely tied to permissioning,
is being embedded in the identity of the executing application. From a core Hadoop perspective,
it is ok for permissions to be applied only against {{user}}, but other components may treat
the identity differently depending on these additional identity data embedded in the principal.


was (Author: xkrogen):
To give more context on our use case, we have the need for more fine-grained identity management
than a simple username. For example, for the purposes of ensuring regulatory compliance, we
have the need for the behavior of systems to vary based not just on the simple account name,
but also on the specific use case. This information, as it is closely tied to permissioning,
is being embedded in the identity of the executing application. From a core Hadoop perspective,
it is ok for permissions to be applied only against {{user}}, but other components may treat
the identity differently depending on these additional components embedded in the principal.

> Kerberos name implementation in Hadoop does not accept principals with more than two
components
> -----------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-16214
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16214
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: auth
>            Reporter: Issac Buenrostro
>            Priority: Major
>         Attachments: HADOOP-16214.001.patch, HADOOP-16214.002.patch, HADOOP-16214.003.patch,
HADOOP-16214.004.patch, HADOOP-16214.005.patch, HADOOP-16214.006.patch, HADOOP-16214.007.patch,
HADOOP-16214.008.patch, HADOOP-16214.009.patch, HADOOP-16214.010.patch, HADOOP-16214.011.patch
>
>
> org.apache.hadoop.security.authentication.util.KerberosName is in charge of converting
a Kerberos principal to a user name in Hadoop for all of the services requiring authentication.
> Although the Kerberos spec ([https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html]) allows
for an arbitrary number of components in the principal, the Hadoop implementation will throw
a "Malformed Kerberos name:" error if the principal has more than two components (because
the regex can only read serviceName and hostName).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message