Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-12751

While using kerberos Hadoop incorrectly assumes names with '@' to be non-simple

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • 2.7.2
    • 2.8.0, 3.0.0-alpha1, 2.7.6
    • security

    • kerberos

    • Reviewed

    Description

      In the scenario of a trust between two directories, eg. FreeIPA (ipa.local) and Active Directory (ad.local) users can be made available on the OS level by something like sssd. The trusted users will be of the form 'user@ad.local' while other users are will not contain the domain. Executing 'id -Gn user@ad.local' will successfully return the groups the user belongs to if configured correctly.

      However, it is assumed by Hadoop that users of the format with '@' cannot be correct. This code is in KerberosName.java and seems to be a validator if the 'auth_to_local' rules are applied correctly.

      In my opinion this should be removed or changed to a different kind of check or maybe logged as a warning while still proceeding, as the current behavior limits integration possibilities with other standard tools.

      Workaround are difficult to apply (by having a rewrite by system tools to for example user_ad_local) due to down stream consequences.

      Attachments

        1. HADOOP-12751-branch-2.7.009.patch
          7 kB
          Konstantin Shvachko
        2. HADOOP-12751-009.patch
          13 kB
          Steve Loughran
        3. 0008-HADOOP-12751-leave-user-validation-to-os.patch
          13 kB
          Bolke de Bruin
        4. 0008-HADOOP-12751-leave-user-validation-to-os.patch
          13 kB
          Bolke de Bruin
        5. 0007-HADOOP-12751-leave-user-validation-to-os.patch
          13 kB
          Bolke de Bruin
        6. 0007-HADOOP-12751-leave-user-validation-to-os.patch
          13 kB
          Bolke de Bruin
        7. 0006-HADOOP-12751-leave-user-validation-to-os.patch
          12 kB
          Bolke de Bruin
        8. 0005-HADOOP-12751-leave-user-validation-to-os.patch
          10 kB
          Bolke de Bruin
        9. 0004-HADOOP-12751-leave-user-validation-to-os.patch
          5 kB
          Bolke de Bruin
        10. 0003-HADOOP-12751-leave-user-validation-to-os.patch
          4 kB
          Bolke de Bruin
        11. 0002-HADOOP-12751-leave-user-validation-to-os.patch
          3 kB
          Bolke de Bruin
        12. 0001-Remove-check-for-user-name-characters-and.patch
          5 kB
          Bolke de Bruin
        13. 0001-HADOOP-12751-leave-user-validation-to-os.patch
          2 kB
          Bolke de Bruin

        Issue Links

          is depended upon by

          Improvement - An improvement or enhancement to an existing feature or task. HADOOP-12649 Improve Kerberos diagnostics and failure handling

          • Major - Major loss of function.
          • Open
          is related to

          Bug - A problem which impairs or prevents the functions of the product. HIVE-15174 Respect auth_to_local rules from hdfs configs (core-site.xml) for LDAP authentication too

          • Major - Major loss of function.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. HIVE-12981 ThriftCLIService uses incompatible getShortName() implementation

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          New Feature - A new feature of the product, which has yet to be developed. HADOOP-15996 Plugin interface to support more complex usernames in Hadoop

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. HADOOP-15959 revert HADOOP-12751

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Activity

            People

              bolke Bolke de Bruin
              bolke Bolke de Bruin
              Votes:
              0 Vote for this issue
              Watchers:
              15 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: