[
https://issues.apache.org/jira/browse/HADOOP-12751?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16331429#comment-16331429
]
Konstantin Shvachko edited comment on HADOOP-12751 at 1/18/18 11:42 PM:
------------------------------------------------------------------------
Thanks for the review [~brahmareddy].
Yes Yetus is trying to download Oracle Java 8, which probably requires a login.
It should be OpenJDK7 for branch-2.7. Something that should have been fixed by
HADOOP-14474?
was (Author: shv):
Thanks for the review [~brahmareddy].
Yes Yetus is trying to download Oracle Java 8, which probably requires a login.
It should be OpenJDK2 for branch-2.7. Something that should have been fixed by
HADOOP-14474?
> While using kerberos Hadoop incorrectly assumes names with '@' to be
> non-simple
> -------------------------------------------------------------------------------
>
> Key: HADOOP-12751
> URL: https://issues.apache.org/jira/browse/HADOOP-12751
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.7.2
> Environment: kerberos
> Reporter: Bolke de Bruin
> Assignee: Bolke de Bruin
> Priority: Critical
> Labels: kerberos
> Fix For: 2.8.0, 3.0.0-alpha1
>
> Attachments: 0001-HADOOP-12751-leave-user-validation-to-os.patch,
> 0001-Remove-check-for-user-name-characters-and.patch,
> 0002-HADOOP-12751-leave-user-validation-to-os.patch,
> 0003-HADOOP-12751-leave-user-validation-to-os.patch,
> 0004-HADOOP-12751-leave-user-validation-to-os.patch,
> 0005-HADOOP-12751-leave-user-validation-to-os.patch,
> 0006-HADOOP-12751-leave-user-validation-to-os.patch,
> 0007-HADOOP-12751-leave-user-validation-to-os.patch,
> 0007-HADOOP-12751-leave-user-validation-to-os.patch,
> 0008-HADOOP-12751-leave-user-validation-to-os.patch,
> 0008-HADOOP-12751-leave-user-validation-to-os.patch, HADOOP-12751-009.patch,
> HADOOP-12751-branch-2.7.009.patch
>
>
> In the scenario of a trust between two directories, eg. FreeIPA (ipa.local)
> and Active Directory (ad.local) users can be made available on the OS level
> by something like sssd. The trusted users will be of the form '[email protected]'
> while other users are will not contain the domain. Executing 'id -Gn
> [email protected]' will successfully return the groups the user belongs to if
> configured correctly.
> However, it is assumed by Hadoop that users of the format with '@' cannot be
> correct. This code is in KerberosName.java and seems to be a validator if the
> 'auth_to_local' rules are applied correctly.
> In my opinion this should be removed or changed to a different kind of check
> or maybe logged as a warning while still proceeding, as the current behavior
> limits integration possibilities with other standard tools.
> Workaround are difficult to apply (by having a rewrite by system tools to for
> example user_ad_local) due to down stream consequences.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
