Hello Leo/Liou >> And the plugin interface can be as simple as this function (error handling >> ignored here) ... I thought it's good to have the pluggable allowing to customize the method how to perform the mapping. You could open a JIRA for this. If you'd like to work on it and need help, please feel free to ask (me or the community), or discuss in the JIRA, as the community do.
With the pluggable interface, you could provide a native implementation leveraging the MIT localauth plugin via JNI, just as it's done for user groups mapping provider. If you're looking for something pure in Java, as Allen said, the localauth plugin support isn't available in JRE as Java would not be so quick to catch up with latest Kerberos features. One possibility would be to leverage Apache Kerby, you can fire an issue request there and let's see how it works out then. https://issues.apache.org/jira/browse/DIRKRB-102 Regards, Kai -----Original Message----- From: Sunny Cheung [mailto:sunny.che...@centrify.com] Sent: Thursday, March 05, 2015 3:42 PM To: common-dev@hadoop.apache.org Cc: Leo Liou Subject: RE: [RFE] Support MIT Kerberos localauth plugin API Sorry I was not clear enough about the problem. Let me explain more here. Our problem is that normal user principal names can be very different from their Unix login. Some customers simply have arbitrary mapping between their Kerberos principals and Unix user accounts. For example, one customer has over 200K users on AD with Kerberos principals in format "<first name>.<last name>@REALM" (e.g. john....@example.com). But their Unix names are in format "user<ID>" or just "<ID>" (e.g. user123456, 123456). So, when Kerberos security is enabled on Hadoop clusters, how should we configure to authenticate these users from Hadoop clients? The current way is to use the hadoop.security.auth_to_local setting, e.g. from core-site.xml: <property> <name>hadoop.security.auth_to_local</name> <value> RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/mapred/ RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/hdfs/ RULE:[2:$1@$0](hm@.*EXAMPLE.COM)s/.*/hbase/ RULE:[2:$1@$0](rs@.*EXAMPLE.COM)s/.*/hbase/ DEFAULT</value> <description>The mapping from kerberos principal names to local OS user names.</description> </property> These name translation rules can handle cases like mapping service accounts' principals (e.g. nn/<host>@REALM or dn/<host>@REALM to hdfs). But that is not scalable for normal users. There are just too many users to handle (as compared to the finite amount of service accounts). Therefore, we would like to ask if alternative name resolution plugin interface can be supported by Hadoop. It could be similar to the way alternative authentication plugin is supported for HTTP web-consoles [1]: <property> <name>hadoop.http.authentication.type</name> <value>org.my.subclass.of.AltKerberosAuthenticationHandler</value> </property> And the plugin interface can be as simple as this function (error handling ignored here): String auth_to_local (String krb5Principal) { ... return unixName; } If this plugin interface is supported by Hadoop, then everyone can provide a plugin to support arbitrary mapping. This will be extremely useful when administrators need to tighten security on Hadoop with existing Kerberos infrastructure. References: [1] Authentication for Hadoop HTTP web-consoles http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/HttpAuthentication.html -----Original Message----- From: Allen Wittenauer [mailto:a...@altiscale.com] Sent: Tuesday, February 24, 2015 12:47 AM To: common-dev@hadoop.apache.org Subject: Re: [RFE] Support MIT Kerberos localauth plugin API The big question is whether or not Java's implementation of Kerberos supports it. If so, which JDK release. Java's implementation tends to run a bit behind MIT. Additionally, there is a general reluctance to move Hadoop's baseline Java version to something even supported until user outcry demands it. So I'd expect support to be a long way off. It's worth noting that trunk exposes the hadoop kerbname command to help out with auth_to_local mapping, BTW. On Feb 23, 2015, at 2:12 AM, Sunny Cheung <sunny.che...@centrify.com> wrote: > Hi Hadoop Common developers, > > I am writing to seek your opinion about a feature request: support MIT > Kerberos localauth plugin API [1]. > > Hadoop currently provides the hadoop.security.auth_to_local setting to map > Kerberos principal to OS user account [2][3]. However, the regex-based > mappings (which mimics krb5.conf auth_to_local) could be difficult to use in > complex scenarios. Therefore, MIT Kerberos 1.12 added a plugin interface to > control krb5_aname_to_localname and krb5_kuserok behavior. And system daemon > SSSD (RHEL/Fedora) has already implemented a plugin to leverage this feature > [4]. > > Is that possible for Hadoop to support a plugin API similar to localauth > (when Kerberos security is enabled)? Thanks. > > References: > [1] Local authorization interface (localauth) > http://web.mit.edu/kerberos/krb5-1.12/doc/plugindev/localauth.html > [2] Hadoop in Secure Mode - Mapping from Kerberos principal to OS user > account > http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-commo > n/SecureMode.html#Mapping_from_Kerberos_principal_to_OS_user_account > [3] Need mapping from long principal names to local OS user names > https://issues.apache.org/jira/browse/HADOOP-6526 > [4] Allow Kerberos Principals in getpwnam() calls > https://fedorahosted.org/sssd/wiki/DesignDocs/NSSWithKerberosPrincipal