This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Child pages
  • KIP-309: Add toUpperCase support to sasl.kerberos.principal.to.local rule
Skip to end of metadata
Go to start of metadata

Status

Current state"Under Discussion"

Discussion thread: here 

JIRA: here

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).

Motivation

KIP-203 implemented support to convert Kerberos principal name to lower case Linux user name via auth_to_local rules.
As a follow-up, KafkaShortnamer can be further extended to allow converting principal names to uppercase by appending /U to the rule.

One use-case is given here:  HADOOP-13984 - Getting issue details... STATUS

Proposed Changes

We propose to extend "sasl.kerberos.principal.to.local.rules"  config rule format/syntax by supporting an optional  "/U" (toUpperCase) at the end of the rule. Since usernames are locale insensitive strings, we propose to use Locale.ENGLISH for the case conversion

 For example, given the rules

"RULE:[2:$1@$0](JOE-QA-.*@EXAMPLE.COM)s/.*/joe-qa//U",
"RULE:[2:$1@$0](joe-qa-.*@EXAMPLE.COM)s/.*/joe-qa//U",
"RULE:[2:$1@$0](.*@EXAMPLE.COM)s/@.*///U"
If the source string is JOE-QA-cl1/host@EXAMPLE.COM, the result will be JOE-QA
If the source string is joe-qa-cl1/host@EXAMPLE.COM, the result will be JOE-QA
If the source string is joe_user/host@EXAMPLE.COM, the result will be JOE-USER
If the source string is JOE_user/host@EXAMPLE.COM, the result will be JOE-USER


Compatibility, Deprecation, and Migration Plan

  • This is an extension to the existing sasl.kerberos.principal.to.local.rules format and there will be no impact on existing users.

Rejected Alternatives


  • No labels