hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-16214) Kerberos name implementation in Hadoop does not accept principals with more than two components
Date Fri, 03 May 2019 19:11:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-16214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16832757#comment-16832757
] 

Daryn Sharp commented on HADOOP-16214:
--------------------------------------

Role encoded principals is a creative use of principals that defies conventional logic (neither
FreeIPA nor AD support 2nd component not being a host) so we are in uncharted territory.
 # We can't force a requirement to enable the insecure "MIT" mode to support multi-component
principals.
 # Allowing only 2-component principals to be SPNs is too restrictive and solely based on
what a user (truly no offense Issac!) who wants to use non-standard principals says would
work for them. Instead, we can use a sentinel value to indicate no host, ie. something like
"user/-/role", to indicate no host.

Now why does this matter? We are increasingly moving to role-based access control so I can
envision using this feature to tightly restrict access of highly confidential clusters to
a special subset of users within a realm. If I were to use RBAC to protect a cluster I'd want
to handle both service and user accounts. I would need to write rules to allow only the users
within certain roles, all else are rejected.  Hence why the MIT best-effort else allow all
non-matching principals through would be a complete non-starter.

> Kerberos name implementation in Hadoop does not accept principals with more than two
components
> -----------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-16214
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16214
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: auth
>            Reporter: Issac Buenrostro
>            Priority: Major
>         Attachments: Add-service-freeipa.png, HADOOP-16214.001.patch, HADOOP-16214.002.patch,
HADOOP-16214.003.patch, HADOOP-16214.004.patch, HADOOP-16214.005.patch, HADOOP-16214.006.patch,
HADOOP-16214.007.patch, HADOOP-16214.008.patch, HADOOP-16214.009.patch, HADOOP-16214.010.patch,
HADOOP-16214.011.patch, HADOOP-16214.012.patch, HADOOP-16214.013.patch
>
>
> org.apache.hadoop.security.authentication.util.KerberosName is in charge of converting
a Kerberos principal to a user name in Hadoop for all of the services requiring authentication.
> Although the Kerberos spec ([https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html]) allows
for an arbitrary number of components in the principal, the Hadoop implementation will throw
a "Malformed Kerberos name:" error if the principal has more than two components (because
the regex can only read serviceName and hostName).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message