From cfd8a2174afb1140b5042d913782b24615f32bfe Mon Sep 17 00:00:00 2001 From: Allen Wittenauer Date: Wed, 11 Feb 2015 07:40:39 -0800 Subject: [PATCH] HADOOP-11554. Expose HadoopKerberosName as a hadoop subcommand (aw) --- hadoop-common-project/hadoop-common/CHANGES.txt | 2 ++ .../hadoop-common/src/main/bin/hadoop | 4 ++++ .../hadoop-common/src/main/bin/hadoop.cmd | 6 +++++- .../hadoop-common/src/site/markdown/CommandsManual.md | 10 ++++++++++ .../hadoop-common/src/site/markdown/SecureMode.md | 2 ++ 5 files changed, 23 insertions(+), 1 deletion(-) diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 1536e44259..e2f176170d 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -27,6 +27,8 @@ Trunk (Unreleased) HADOOP-8934. Shell command ls should include sort options (Jonathan Allen via aw) + HADOOP-11554. Expose HadoopKerberosName as a hadoop subcommand (aw) + IMPROVEMENTS HADOOP-8017. Configure hadoop-main pom to get rid of M2E plugin execution diff --git a/hadoop-common-project/hadoop-common/src/main/bin/hadoop b/hadoop-common-project/hadoop-common/src/main/bin/hadoop index d689bdad14..42e4e83b36 100755 --- a/hadoop-common-project/hadoop-common/src/main/bin/hadoop +++ b/hadoop-common-project/hadoop-common/src/main/bin/hadoop @@ -38,6 +38,7 @@ function hadoop_usage() echo " note: please use \"yarn jar\" to launch" echo " YARN applications, not this command." echo " jnipath prints the java.library.path" + echo " kerbname show auth_to_local principal conversion" echo " key manage keys via the KeyProvider" echo " trace view and modify Hadoop tracing settings" echo " version print the version" @@ -156,6 +157,9 @@ case ${COMMAND} in echo "${JAVA_LIBRARY_PATH}" exit 0 ;; + kerbname) + CLASS=org.apache.hadoop.security.HadoopKerberosName + ;; key) CLASS=org.apache.hadoop.crypto.key.KeyShell ;; diff --git a/hadoop-common-project/hadoop-common/src/main/bin/hadoop.cmd b/hadoop-common-project/hadoop-common/src/main/bin/hadoop.cmd index f612ace7cc..c600fd1266 100644 --- a/hadoop-common-project/hadoop-common/src/main/bin/hadoop.cmd +++ b/hadoop-common-project/hadoop-common/src/main/bin/hadoop.cmd @@ -146,7 +146,7 @@ call :updatepath %HADOOP_BIN_PATH% ) ) - set corecommands=fs version jar checknative distcp daemonlog archive classpath credential key + set corecommands=fs version jar checknative distcp daemonlog archive classpath credential kerbname key for %%i in ( %corecommands% ) do ( if %hadoop-command% == %%i set corecommand=true ) @@ -215,6 +215,10 @@ call :updatepath %HADOOP_BIN_PATH% set CLASS=org.apache.hadoop.security.alias.CredentialShell goto :eof +:kerbname + set CLASS=org.apache.hadoop.security.HadoopKerberosName + goto :eof + :key set CLASS=org.apache.hadoop.crypto.key.KeyShell goto :eof diff --git a/hadoop-common-project/hadoop-common/src/site/markdown/CommandsManual.md b/hadoop-common-project/hadoop-common/src/site/markdown/CommandsManual.md index b9c92c4218..f0c0367c12 100644 --- a/hadoop-common-project/hadoop-common/src/site/markdown/CommandsManual.md +++ b/hadoop-common-project/hadoop-common/src/site/markdown/CommandsManual.md @@ -27,6 +27,7 @@ * [fs](#fs) * [jar](#jar) * [jnipath](#jnipath) + * [kerbname](#kerbname) * [key](#key) * [trace](#trace) * [version](#version) @@ -175,6 +176,15 @@ Usage: `hadoop jnipath` Print the computed java.library.path. +### `kerbname` + + Usage: <<>> + + Convert the named principal via the auth_to_local rules to the Hadoop + user name. + + Example: <<>> + ### `key` Manage keys via the KeyProvider. diff --git a/hadoop-common-project/hadoop-common/src/site/markdown/SecureMode.md b/hadoop-common-project/hadoop-common/src/site/markdown/SecureMode.md index ae057bc2cd..f0e1f1fbe9 100644 --- a/hadoop-common-project/hadoop-common/src/site/markdown/SecureMode.md +++ b/hadoop-common-project/hadoop-common/src/site/markdown/SecureMode.md @@ -162,6 +162,8 @@ Hadoop maps Kerberos principal to OS user account using the rule specified by `h By default, it picks the first component of principal name as a user name if the realms matches to the `default_realm` (usually defined in /etc/krb5.conf). For example, `host/full.qualified.domain.name@REALM.TLD` is mapped to `host` by default rule. +Custom rules can be tested using the <<>> command. This command allows one to specify a principal and apply Hadoop's current auth_to_local ruleset. The output will be what identity Hadoop will use for its usage. + ### Mapping from user to group Though files on HDFS are associated to owner and group, Hadoop does not have the definition of group by itself. Mapping from user to group is done by OS or LDAP.