Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kerberos auth to local rules support #2042

Open
egyedt opened this issue Aug 3, 2023 · 0 comments · May be fixed by #2043
Open

Kerberos auth to local rules support #2042

egyedt opened this issue Aug 3, 2023 · 0 comments · May be fixed by #2043
Labels
functionality A feature request.

Comments

@egyedt
Copy link
Contributor

egyedt commented Aug 3, 2023
edited
Loading

ATL (auth to local rules) support does not exist yet, short principals will be used in authentication / authorization.
This impacts custom Kerberos principals and any use case relying on Kerberos auth to local rules.

--- o ---
Details:
In production environments, there is a need for customizing Kerberos principals. Furthermore, when somebody working with a Kafka cluster, then usually there are additional services like Ranger, Cruise Control and so on. Currently, Cruise Control does not support ATL (auth to local) rules.

By default, the Hadoop and other auth-to-local rules map a principal of the form /@ to . This means if there are multiple clusters in the same realm, then principals associated with hosts of one cluster would map to the same user in all other clusters. Of course, Cruise Control will be able to handle other type of ATL rules as well with this feature (not only the default: "/@ to ").

For example, if you have two clusters, cluster1-host-[1..4].example.com and cluster2-host- [1..4].example.com, that are part of the same Kerberos realm, EXAMPLE.COM, then the cluster2 principal, kafka/cluster2-host1.example.com@EXAMPLE.COM, will map to the kafka user even on cluster1 hosts.

To prevent this, use auth-to-local rules as follows to ensure only principals containing hostnames of cluster1 are mapped to legitimate users. So, this means for Cruise Control that it will be able to handle only the properly authenticated and authorized user principals and there will be no circumstances when a long user principal will be mapped to a valid short principal form.

--- o ---
The task is the following:

  • extend SPNEGO login service to be able to handle ATLs
  • extend TrustedProxy login service to be able to handle ATLs
  • (fallback to SPNEGO will be using the extended SPNEGO login service)
  • add spnego.principal.to.local.rules to WebServerConfig -> "A list of rules for mapping from principal names to short names (typically operating system usernames). The rules are evaluated in order and the first rule that matches a principal name is used to map it to a short name. Any later rules in the list are ignored. By default, principal names of the form {username}/{hostname}@{REALM} are mapped to {username}. When not specified, the short name will be used."
@egyedt egyedt linked a pull request Aug 3, 2023 that will close this issue
Open
@CCisGG CCisGG added the functionality A feature request. label Feb 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
functionality A feature request.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Kerberos auth to local rules support egyedt/cruise-control
2 participants
@CCisGG @egyedt