[
https://issues.apache.org/jira/browse/HADOOP-15213?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16355583#comment-16355583
]
Dhirendra Khanka commented on HADOOP-15213:
-------------------------------------------
Sorry i did not understand your resolution comment.
>From the code, you see the parent ShellBasedUnixGroupsMapping.getGroups is
>always called and you always get the local groups of the user. So its not that
>everything is netgroup-based. I think you need to revisit the code. I have a
>problem in the NetgroupCache.getNetgroups(user,groups); call. This call is not
>updating the cache because of the issue in implementation.
{code:java}
public List<String> getGroups(String user) throws IOException {
// parent get unix groups
List<String> groups = new LinkedList<String>(super.getGroups(user));
NetgroupCache.getNetgroups(user, groups);
return groups;
}
{code}
We hava netgroup users and we want to enable netgroup mappings for hadoop. So I
have enabled the property hadoop.security.group.mapping
As per documentation
[https://hadoop.apache.org/docs/r2.8.0/hadoop-project-dist/hadoop-common/GroupsMapping.html]
getent netgroup command is used to resolve list of groups for a user. The
problem occurs because the code is assuming usernames to be appended with '@'
.If i remove the substring(1) then i am able to get the netgroups of the user.
This is not the case when i fire the getent netgroup command on the cli or via
the code using Shell.execCommand( Shell.getUsersForNetgroupCommand(netgroup). I
already shared the output of this command and you do not see '@' anywhere in
the output.
> JniBasedUnixGroupsNetgroupMapping.java and
> ShellBasedUnixGroupsNetgroupMapping.java use netgroup.substring(1)
> --------------------------------------------------------------------------------------------------------------
>
> Key: HADOOP-15213
> URL: https://issues.apache.org/jira/browse/HADOOP-15213
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Environment: SUSE Linux Enterprise Server 11 (x86_64)
> VERSION = 11
> PATCHLEVEL = 3
> Reporter: Dhirendra Khanka
> Priority: Minor
>
>
> Part of the code below shown from below 2 classes
> org.apache.hadoop.security.JniBasedUnixGroupsNetgroupMapping.java
> {code:java}
> protected synchronized List<String> getUsersForNetgroup(String netgroup) {
> String[] users = null;
> try {
> // JNI code does not expect '@' at the begining of the group name
> users = getUsersForNetgroupJNI(netgroup.substring(1));
> } catch (Exception e) {
> if (LOG.isDebugEnabled()) {
> LOG.debug("Error getting users for netgroup " + netgroup, e);
> } else {
> LOG.info("Error getting users for netgroup " + netgroup +
> ": " + e.getMessage());
> }
> }
> if (users != null && users.length != 0) {
> return Arrays.asList(users);
> }
> return new LinkedList<String>();
> }{code}
> org.apache.hadoop.security.ShellBasedUnixGroupsNetgroupMapping.java
>
> {code:java}
> protected String execShellGetUserForNetgroup(final String netgroup)
> throws IOException {
> String result = "";
> try
> { // shell command does not expect '@' at the begining of the group name
> result = Shell.execCommand(
> Shell.getUsersForNetgroupCommand(netgroup.substring(1))); }
> catch (ExitCodeException e)
> { // if we didn't get the group - just return empty list; LOG.warn("error
> getting users for netgroup " + netgroup, e); }
> return result;
> }
> {code}
> The comments from the code above expect the input to contain '@' , however
> when executing the shell directly the output has the below form which does
> not contain any ampersand symbol.
> {code:java}
> :~> getent netgroup mynetgroup1
> mynetgroup1 ( , a3xsds, ) ( , beekvkl, ) ( , redcuan, ) ( ,
> uedfmst, ){code}
>
> I have created a test code and removed the substring function and then ran it
> on the cluster using hadoop jar. The code returned netgroups correctly after
> the modification. I have limited knowledge on netgroup. The issue was
> discovered when
> hadoop.security.group.mapping =
> *org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback* was added
> to core-site.xml and it failed to apply netgroup access.
>
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
