hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-16214) Kerberos name implementation in Hadoop does not accept principals with more than two components
Date Thu, 02 May 2019 21:55:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-16214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16832021#comment-16832021
] 

Eric Yang commented on HADOOP-16214:
------------------------------------

Patch 12 keeps Hadoop rule mechanism unchanged, and only apply multi-components parsing to
MIT rule mechanism.  

A few behavior difference worth mentioning:
# Hadoop mechanism 
## allows simple principal name with 2 components to become service principal
## DEFAULT rule will truncate service principal to first component
# MIT mechanism
## does not allow simple principal name to become service principal
## DEFAULT rule: If the principal has more than one component or is not in the default realm,
this rule is not applicable and the conversion will fail.  getShortName() will return the
full principal name for OS to handle group membership lookup correctly.

I removed strict FQDN check and strict JDK kerberosPrincipal in patch 11 for service principal
because there is a high chance that private hostname that doesn't follow strict FQDN may fail
with patch 11.  Removed JDK KerberosPrincipal parsing to address Daryn's previous performance
comment.

[~ibuenros] [~owen.omalley] [~daryn], please help with the review.  Thank you

> Kerberos name implementation in Hadoop does not accept principals with more than two
components
> -----------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-16214
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16214
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: auth
>            Reporter: Issac Buenrostro
>            Priority: Major
>         Attachments: Add-service-freeipa.png, HADOOP-16214.001.patch, HADOOP-16214.002.patch,
HADOOP-16214.003.patch, HADOOP-16214.004.patch, HADOOP-16214.005.patch, HADOOP-16214.006.patch,
HADOOP-16214.007.patch, HADOOP-16214.008.patch, HADOOP-16214.009.patch, HADOOP-16214.010.patch,
HADOOP-16214.011.patch, HADOOP-16214.012.patch
>
>
> org.apache.hadoop.security.authentication.util.KerberosName is in charge of converting
a Kerberos principal to a user name in Hadoop for all of the services requiring authentication.
> Although the Kerberos spec ([https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html]) allows
for an arbitrary number of components in the principal, the Hadoop implementation will throw
a "Malformed Kerberos name:" error if the principal has more than two components (because
the regex can only read serviceName and hostName).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message