Hi Anders,
Your investigation is surprising to me! I would guess that it is
unintended that the auth_to_local rules would not be applied, and that
the realm removal is just done as a "convenience".
If you have the interest in fixing up the code, I'd be happy to review
it and help shepherd it in.
Anders Ossowicki wrote:
> Hi,
>
> We've recently enabled Kerberos authentication on the thrift gateway
> for hbase (hbase.thrift.security.qop=auth). The underlying hbase and
> hadoop setup is already fully kerberized.
>
> We are also using the AccessController, so usernames are important for
> mapping permissions.
>
> We've run into an issue with normalizing usernames, that I'm not sure
> I can see a solution to:
>
> When a user authenticates with thrift, thrift strips the realm:
>
> https://github.com/apache/hbase/blob/master/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java#L543
>
> String userName = SecurityUtil.getUserFromPrincipal(authzid);
>
> public static String getUserFromPrincipal(final String principal) {
> int i = principal.indexOf("/");
> if (i == -1) {
> i = principal.indexOf("@");
> }
> return (i> -1) ? principal.substring(0, i) : principal;
> }
>
> So foo@EXAMPLE.ORG becomes 'foo'. This is then sent onwards to hbase.
>
> However, we would like to normalize usernames, since we have users on
> platforms where usernames are case insensitive. We have an
> auth_to_local rule to do this for hbase, hdfs and other hadoop
> services, but these rules do not fire unless hadoop gets the full
> principal. Since thrift only sends 'foo', no further normalization is
> done.
>
> Is there a good reason for removing the realm in thrift? Presumably
> that decision should be done by hbase itself if need be (with the
> auth_to_local rules), but I guess I might be missing something.
>
|