[
https://issues.apache.org/jira/browse/HADOOP-11683?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15110122#comment-15110122
]
Kai Zheng commented on HADOOP-11683:
------------------------------------
The patch looks good overall. Some comments.
1. Better to have an abstract like {{AbstractUserNameMappingProvider}} to
implement the new interface and extend {{Configured}}. Then all the providers
like {{CompositeUserNameMapping}} simply extend the abstract.
2. As I previously explained, it would be good to have a simple cache as
{{GroupMappingServiceProvider}} does, because, the convert from user name to
short name may be time consuming and involve a remote service call as you said.
The effort is small, the benefit is worth. Please note the mapping provider is
used in the core part and can be queried some times during a session. We should
try to avoid remote service call as possible.
3. The mapping provider instance should be created only when
{{setConfiguration}} is called, instead of every time a query or convert
happens, in {{HadoopKerberosName}}. Note the change in setConfiguration isn't
necessary.
4. We probably need to support refresh in server side as group mapping does,
it's useful when you change the mapping provider configurations but don't want
to restart your NN server. If so we can trigger it in
{{NameNodeRpcServer#refreshUserToGroupsMappings}}.
5. It maybe a mistake to have two test users of the same name.
{code}
private static TestUser joe = new TestUser("[email protected]", "joe");
private static TestUser john = new TestUser("[email protected]", "john");
private static TestUser jack = new TestUser("[email protected]", "jack");
{code}
> Need a plugin API to translate long principal names to local OS user names
> arbitrarily
> --------------------------------------------------------------------------------------
>
> Key: HADOOP-11683
> URL: https://issues.apache.org/jira/browse/HADOOP-11683
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 2.6.0
> Reporter: Sunny Cheung
> Assignee: roger mak
> Attachments: HADOOP-11683.001.patch, HADOOP-11683.002.patch,
> HADOOP-11683.003.patch
>
>
> We need a plugin API to translate long principal names (e.g.
> [email protected]) to local OS user names (e.g. user123456) arbitrarily.
> For some organizations the name translation is straightforward (e.g.
> [email protected] to john_doe), and the hadoop.security.auth_to_local
> configurable mapping is sufficient to resolve this (see HADOOP-6526).
> However, in some other cases the name translation is arbitrary and cannot be
> generalized by a set of translation rules easily.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
