05-10-2017 01:59 AM
I'm having some issues configuring the mapping from kerberos SPN/UPN to Hadoop short-names.
I've a complex AD setup with two distinct domains:
The cluster is using RHEL 7 as OS, and I've joined all the host to SERVICES.COM using SSSD (we do this for all the linux hosts). With SSSD all users from USERS.COM are "available" in our servers as firstname.lastname@example.org.
My problem is: I can't configure the mapping from UPN user_name@USERS.COM to short-name email@example.com. I've actually managed to write a working rule but apparently Hadoop doesn't accept a short-name with a @ in it:
[root@host:~/test_mapping]# hadoop org.apache.hadoop.security.HadoopKerberosName user_name@USERS.COM
Exception in thread "main" org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: Non-simple name firstname.lastname@example.org after auth_to_local rule RULE:[1:$1@$0](.*@\QUSERS.COM\E$)s/(.*)@\QUSERS.COM\Eemail@example.com/g/L
Digging through the issues in Hadoop's upstream JIRA I've found this: https://issues.apache.org/jira/browse/HADOOP-12751
This seams to be a fix to my issue merged in Hadoop 2.8/3.0.
Any change this will be backported to a future 5.11.x?