[
https://issues.apache.org/jira/browse/HADOOP-13771?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15617033#comment-15617033
]
Allen Wittenauer commented on HADOOP-13771:
-------------------------------------------
We are treading on very dangerous ground here.
The reason why the 'hdfs groups' exists is because the NN is considered
authoritative. If the NN and the client are configured differently, then
(historically) the various POSIX commands will give different answers than what
the NN considers true. Now that group resolution is pluggable, the client may
not even have the ability to query the authoritative source!
Removing the ability to query the NN about what it thinks the groups are also
removes a major debugging tool.
There's an additional wrinkle here. The NN is not the only process that is
doing group resolution. Pretty much any service that does ACL resolution also
does group resolution to some degree. Making the command 'hadoop groups' is
going lead some folks to think that this works for any service...
I'd therefore propose a different solution. 'hdfs groups' should work like
nslookup. If the NN is up, it should query the NN and give an authoritative
answer. If the NN is not up, it should give the local answer but be absolutely
clear that it is at best a guess and may be in correct.
> Adding group mapping lookup utility without dependency on HDFS namenode
> -----------------------------------------------------------------------
>
> Key: HADOOP-13771
> URL: https://issues.apache.org/jira/browse/HADOOP-13771
> Project: Hadoop Common
> Issue Type: Bug
> Components: security, tools
> Reporter: Xiaoyu Yao
> Assignee: Xiaoyu Yao
> Attachments: HADOOP-13771.00.patch
>
>
> We have {{hdfs groups}} command to troubleshoot issues related to users'
> group member look up with Unix/LDAP. However, there are some limitation of
> this command: 1) it can only be executed when namenode is running. 2) any
> change in the group mapping lookup configuration needs a hdfs namenode
> restart, which is expensive.
> This ticket is proposed to have a simple CLI utility like HadoopKerberosName
> {code}
> hadoop org.apache.hadoop.security.HadoopKerberosName
> nn/localh...@hdpdev.dev.com
> {code}
> The CLI utility for group member lookup will have a usage like below without
> namenode running or restart for configuration change.
> {code}
> hadoop org.apache.hadoop.security.Groups hdfs
> hdfs : [hadoop, hdfs]
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
