The big question is whether or not Java’s implementation of Kerberos
supports it. If so, which JDK release. Java’s implementation tends to run a
bit behind MIT. Additionally, there is a general reluctance to move Hadoop’s
baseline Java version to something even supported until user outcry demands it.
So I’d expect support to be a long way off.
It’s worth noting that trunk exposes the hadoop kerbname command to
help out with auth_to_local mapping, BTW.
On Feb 23, 2015, at 2:12 AM, Sunny Cheung <sunny.che...@centrify.com> wrote:
> Hi Hadoop Common developers,
>
> I am writing to seek your opinion about a feature request: support MIT
> Kerberos localauth plugin API [1].
>
> Hadoop currently provides the hadoop.security.auth_to_local setting to map
> Kerberos principal to OS user account [2][3]. However, the regex-based
> mappings (which mimics krb5.conf auth_to_local) could be difficult to use in
> complex scenarios. Therefore, MIT Kerberos 1.12 added a plugin interface to
> control krb5_aname_to_localname and krb5_kuserok behavior. And system daemon
> SSSD (RHEL/Fedora) has already implemented a plugin to leverage this feature
> [4].
>
> Is that possible for Hadoop to support a plugin API similar to localauth
> (when Kerberos security is enabled)? Thanks.
>
> References:
> [1] Local authorization interface (localauth)
> http://web.mit.edu/kerberos/krb5-1.12/doc/plugindev/localauth.html
> [2] Hadoop in Secure Mode - Mapping from Kerberos principal to OS user account
> http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html#Mapping_from_Kerberos_principal_to_OS_user_account
> [3] Need mapping from long principal names to local OS user names
> https://issues.apache.org/jira/browse/HADOOP-6526
> [4] Allow Kerberos Principals in getpwnam() calls
> https://fedorahosted.org/sssd/wiki/DesignDocs/NSSWithKerberosPrincipal
