hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-16214) Kerberos name implementation in Hadoop does not accept principals with more than two components
Date Fri, 10 May 2019 16:11:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-16214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16837418#comment-16837418

Daryn Sharp commented on HADOOP-16214:

{quote}This is only benefits his own proposal of using auth_to_local as firewall rules to
prevent unauthorized users from getting into secure cluster.   This is not retaining backward
compatibility, but benefit for his own agenda.
{quote}Please do not conflating authentication with authorization.  Your proposal of using
auth_to_local as firewall rule is trying to block anonymous from gain access to the system
during authentication phase.
The auth_to_local rules are and always have served as a whitelist for authorization.  Rejecting
your proposal to change out of scope semantics is neither a proposal nor agenda.

As an example of practicality to others, would an admin prefer:
 # Define a few auth_to_local rules to whitelist principals (in this case to enforce principals
containing the authorized roles).  One change protects all services.
 # Define N-many ACLs for _every_ current/future service – assuming the service even has
ACL support. Remain hyper-vigilant to detect and define ACLs for every current/future service
& protocol.

The default behavior is and must remain #1. An admin may already select #2 via an explicit
wildcard rule if they wish, and bear the brunt of defining and auditing all their services.
 Debating a change to these semantics is out of scope for this jira.


> Kerberos name implementation in Hadoop does not accept principals with more than two
> -----------------------------------------------------------------------------------------------
>                 Key: HADOOP-16214
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16214
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: auth
>            Reporter: Issac Buenrostro
>            Priority: Major
>         Attachments: Add-service-freeipa.png, HADOOP-16214.001.patch, HADOOP-16214.002.patch,
HADOOP-16214.003.patch, HADOOP-16214.004.patch, HADOOP-16214.005.patch, HADOOP-16214.006.patch,
HADOOP-16214.007.patch, HADOOP-16214.008.patch, HADOOP-16214.009.patch, HADOOP-16214.010.patch,
HADOOP-16214.011.patch, HADOOP-16214.012.patch, HADOOP-16214.013.patch
> org.apache.hadoop.security.authentication.util.KerberosName is in charge of converting
a Kerberos principal to a user name in Hadoop for all of the services requiring authentication.
> Although the Kerberos spec ([https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html]) allows
for an arbitrary number of components in the principal, the Hadoop implementation will throw
a "Malformed Kerberos name:" error if the principal has more than two components (because
the regex can only read serviceName and hostName).

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message