hbase-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Elser <els...@apache.org>
Subject Re: Kerberized thrift and username normalization
Date Mon, 27 Mar 2017 18:31:05 GMT
Hi Anders,

Your investigation is surprising to me! I would guess that it is 
unintended that the auth_to_local rules would not be applied, and that 
the realm removal is just done as a "convenience".

If you have the interest in fixing up the code, I'd be happy to review 
it and help shepherd it in.

Anders Ossowicki wrote:
> Hi,
>
> We've recently enabled Kerberos authentication on the thrift gateway
> for hbase (hbase.thrift.security.qop=auth). The underlying hbase and
> hadoop setup is already fully kerberized.
>
> We are also using the AccessController, so usernames are important for
> mapping permissions.
>
> We've run into an issue with normalizing usernames, that I'm not sure
> I can see a solution to:
>
> When a user authenticates with thrift, thrift strips the realm:
>
> https://github.com/apache/hbase/blob/master/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java#L543
>
> String userName = SecurityUtil.getUserFromPrincipal(authzid);
>
>    public static String getUserFromPrincipal(final String principal) {
>      int i = principal.indexOf("/");
>      if (i == -1) {
>        i = principal.indexOf("@");
>      }
>      return (i>  -1) ? principal.substring(0, i) : principal;
>    }
>
> So foo@EXAMPLE.ORG becomes 'foo'. This is then sent onwards to hbase.
>
> However, we would like to normalize usernames, since we have users on
> platforms where usernames are case insensitive. We have an
> auth_to_local rule to do this for hbase, hdfs and other hadoop
> services, but these rules do not fire unless hadoop gets the full
> principal. Since thrift only sends 'foo', no further normalization is
> done.
>
> Is there a good reason for removing the realm in thrift? Presumably
> that decision should be done by hbase itself if need be (with the
> auth_to_local rules), but I guess I might be missing something.
>

Mime
View raw message