Reply
Explorer
Posts: 19
Registered: ‎11-15-2016

Short name mapping: "Non-simple name"

Hi,

I'm having some issues configuring the mapping from kerberos SPN/UPN to Hadoop short-names.
I've a complex AD setup with two distinct domains:

 

  • SERVICES.COM: this is a domain dedicated to host and services. This is the one used for the cluster configuration via Cloudera Manager.
  • USERS.COM: this is the domain with all the users in the company (it's a different domain for organizational reasons, managed by different teams with different policies)


The cluster is using RHEL 7 as OS, and I've joined all the host to SERVICES.COM using SSSD (we do this for all the linux hosts). With SSSD all users from USERS.COM are "available" in our servers as user_name@users.com.

My problem is: I can't configure the mapping from UPN user_name@USERS.COM to short-name user_name@users.com. I've actually managed to write a working rule but apparently Hadoop doesn't accept a short-name with a @ in it:

[root@host:~/test_mapping]# hadoop org.apache.hadoop.security.HadoopKerberosName user_name@USERS.COM
Exception in thread "main" org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: Non-simple name user_name@users.com after auth_to_local rule RULE:[1:$1@$0](.*@\QUSERS.COM\E$)s/(.*)@\QUSERS.COM\E$/$1@users.com/g/L
    at org.apache.hadoop.security.authentication.util.KerberosName$Rule.apply(KerberosName.java:326)
    at org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:395)
    at org.apache.hadoop.security.HadoopKerberosName.main(HadoopKerberosName.java:82)

Digging through the issues in Hadoop's upstream JIRA I've found this: https://issues.apache.org/jira/browse/HADOOP-12751
This seams to be a fix to my issue merged in Hadoop 2.8/3.0.

Any change this will be backported to a future 5.11.x?

Announcements