[jira] [Created] (HADOOP-15996) Plugin interface to support more complex usernames in Hadoop

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Created] (HADOOP-15996) Plugin interface to support more complex usernames in Hadoop

JIRA jira@apache.org
Eric Yang created HADOOP-15996:
----------------------------------

             Summary: Plugin interface to support more complex usernames in Hadoop
                 Key: HADOOP-15996
                 URL: https://issues.apache.org/jira/browse/HADOOP-15996
             Project: Hadoop Common
          Issue Type: New Feature
          Components: security
            Reporter: Eric Yang


Hadoop does not allow support of @ character in username in recent security mailing list vote to revert HADOOP-12751.  Hadoop auth_to_local rule must match to authorize user to login to Hadoop cluster.  This design does not work well in multi-realm environment where identical username between two realms do not map to the same user.  There is also possibility that lossy regex can incorrect map users.  In the interest of supporting multi-realms, it maybe preferred to pass principal name without rewrite to uniquely distinguish users.  This jira is to revisit if Hadoop can support full principal names without rewrite and provide a plugin to override Hadoop's default implementation of auth_to_local for multi-realm use case.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]