Hi Hadoop Common developers, I am writing to seek your opinion about a feature request: support MIT Kerberos localauth plugin API [1].
Hadoop currently provides the hadoop.security.auth_to_local setting to map Kerberos principal to OS user account [2][3]. However, the regex-based mappings (which mimics krb5.conf auth_to_local) could be difficult to use in complex scenarios. Therefore, MIT Kerberos 1.12 added a plugin interface to control krb5_aname_to_localname and krb5_kuserok behavior. And system daemon SSSD (RHEL/Fedora) has already implemented a plugin to leverage this feature [4]. Is that possible for Hadoop to support a plugin API similar to localauth (when Kerberos security is enabled)? Thanks. References: [1] Local authorization interface (localauth) http://web.mit.edu/kerberos/krb5-1.12/doc/plugindev/localauth.html [2] Hadoop in Secure Mode - Mapping from Kerberos principal to OS user account http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html#Mapping_from_Kerberos_principal_to_OS_user_account [3] Need mapping from long principal names to local OS user names https://issues.apache.org/jira/browse/HADOOP-6526 [4] Allow Kerberos Principals in getpwnam() calls https://fedorahosted.org/sssd/wiki/DesignDocs/NSSWithKerberosPrincipal
