[jira] [Commented] (HADOOP-15213) JniBasedUnixGroupsNetgroupMapping.java and ShellBasedUnixGroupsNetgroupMapping.java use netgroup.substring(1)

Fri, 09 Feb 2018 01:09:11 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-15213?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16358139#comment-16358139
 ] 

Dhirendra Khanka commented on HADOOP-15213:
-------------------------------------------

Please provide valid references for your assertion that netgroups are meant for 
service accounts. I don't mean its a bug. Its just that the implementation 
should check if substring(1) = '@' if yes then use netgroups.substring(1) else 
just pass netgroups.

I can show you the reference below

[https://hadoop.apache.org/docs/r2.8.0/hadoop-project-dist/hadoop-common/GroupsMapping.html]

Which states below

The groups of a user is determined by a group mapping service provider. Hadoop 
supports various group mapping mechanisms, configured by the 
{{hadoop.security.group.mapping}} property. Some of them, such as 
{{JniBasedUnixGroupsMappingWithFallback}}, use operating systems’ group name 
resolution and requires no configuration. But Hadoop also supports special 
group mapping mechanisms through LDAP and composition of LDAP and operating 
system group name resolution, which require additional configurations. 
{{hadoop.security.group.mapping}} can be one of the following:

 
 * *org.apache.hadoop.security.ShellBasedUnixGroupsNetgroupMapping*

This implementation is similar to {{ShellBasedUnixGroupsMapping}}, except that 
it executes {color:#FF0000}{{getent netgroup}} command to get netgroup 
membership.{color}

 

The reference link {color:#FF0000}does not in any place state that the 
netgroups are meant for service accounts ACLs{color}. and Besides I dont 
understand in first place why would service accounts be placed on the 
netgroups. Aren't service accounts meant to be local unix accounts.

Also find below debug comment to see negroup api calls in action
{code:java}
tdms@casatdhdp01master01:~> hdfs dfs -ls /user/tdms
 18/02/09 09:47:30 DEBUG util.Shell: setsid exited with exit code 0
 18/02/09 09:47:30 DEBUG conf.Configuration: parsing URL 
jar:file:/usr/hdp/2.5.3.0-37/hadoop/hadoop-common-2.7.3.2.5.3.0-37.jar!/core-default.xml
 18/02/09 09:47:30 DEBUG conf.Configuration: parsing input stream 
sun.net.www.protocol.jar.JarURLConnection$JarURLInputStream@78186a70
 18/02/09 09:47:30 DEBUG conf.Configuration: parsing URL 
file:/etc/hadoop/2.5.3.0-37/0/core-site.xml
 18/02/09 09:47:30 DEBUG conf.Configuration: parsing input stream 
java.io.BufferedInputStream@15d9bc04
 18/02/09 09:47:30 DEBUG security.SecurityUtil: Setting 
hadoop.security.token.service.use_ip to true
 18/02/09 09:47:30 DEBUG util.KerberosName: Kerberos krb5 configuration not 
found, setting default realm to empty
 18/02/09 09:47:30 DEBUG security.Groups:  Creating new Groups object
 18/02/09 09:47:30 DEBUG util.NativeCodeLoader: Trying to load the custom-built 
native-hadoop library...
 18/02/09 09:47:30 DEBUG util.NativeCodeLoader: Loaded the native-hadoop library
 18/02/09 09:47:30 DEBUG security.JniBasedUnixGroupsMapping: Using 
JniBasedUnixGroupsMapping for Group resolution
 18/02/09 09:47:30 DEBUG security.JniBasedUnixGroupsNetgroupMapping: Using 
JniBasedUnixGroupsNetgroupMapping for Netgroup resolution
 18/02/09 09:47:30 DEBUG 
security.JniBasedUnixGroupsNetgroupMappingWithFallback: Group mapping 
impl=org.apache.hadoop.security.JniBasedUnixGroupsNetgroupMapping
 18/02/09 09:47:30 DEBUG security.Groups: Group mapping 
impl=org.apache.hadoop.security.JniBasedUnixGroupsNetgroupMappingWithFallback; 
cacheTimeout=300000; warningDeltaMs=5000
 18/02/09 09:47:30 DEBUG security.UserGroupInformation: hadoop login
 18/02/09 09:47:30 DEBUG security.UserGroupInformation: hadoop login commit
 18/02/09 09:47:30 DEBUG security.UserGroupInformation: using local 
user:UnixPrincipal: tdms
 18/02/09 09:47:30 DEBUG security.UserGroupInformation: Using user: 
"UnixPrincipal: tdms" with name tdms
 18/02/09 09:47:30 DEBUG security.UserGroupInformation: User entry: "tdms"
 18/02/09 09:47:30 DEBUG security.UserGroupInformation: UGI loginUser:tdms 
(auth:SIMPLE){code}
 

> JniBasedUnixGroupsNetgroupMapping.java and 
> ShellBasedUnixGroupsNetgroupMapping.java use netgroup.substring(1) 
> --------------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-15213
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15213
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>         Environment: SUSE Linux Enterprise Server 11 (x86_64)
> VERSION = 11
> PATCHLEVEL = 3
>            Reporter: Dhirendra Khanka
>            Priority: Minor
>
>  
> Part of the code below shown from below 2 classes
>  org.apache.hadoop.security.JniBasedUnixGroupsNetgroupMapping.java
> {code:java}
>  protected synchronized List<String> getUsersForNetgroup(String netgroup) {
>     String[] users = null;
>     try {
>       // JNI code does not expect '@' at the begining of the group name
>       users = getUsersForNetgroupJNI(netgroup.substring(1));
>     } catch (Exception e) {
>       if (LOG.isDebugEnabled()) {
>         LOG.debug("Error getting users for netgroup " + netgroup, e);
>       } else {
>         LOG.info("Error getting users for netgroup " + netgroup + 
>             ": " + e.getMessage());
>       }
>     }
>     if (users != null && users.length != 0) {
>       return Arrays.asList(users);
>     }
>     return new LinkedList<String>();
>   }{code}
> org.apache.hadoop.security.ShellBasedUnixGroupsNetgroupMapping.java
>  
> {code:java}
> protected String execShellGetUserForNetgroup(final String netgroup)
>  throws IOException {
>  String result = "";
>  try
> { // shell command does not expect '@' at the begining of the group name 
> result = Shell.execCommand( 
> Shell.getUsersForNetgroupCommand(netgroup.substring(1))); }
> catch (ExitCodeException e)
> { // if we didn't get the group - just return empty list; LOG.warn("error 
> getting users for netgroup " + netgroup, e); }
> return result;
>  }
> {code}
>  The comments from the code above expect the input to contain '@' , however 
> when executing the shell directly the output has the below form which does 
> not contain any ampersand symbol.
> {code:java}
> :~> getent netgroup mynetgroup1
> mynetgroup1           ( , a3xsds, ) ( , beekvkl, ) ( , redcuan, ) ( , 
> uedfmst, ){code}
>  
> I have created a test code and removed the substring function and then ran it 
> on the cluster using hadoop jar. The code returned netgroups correctly after 
> the modification. I have limited knowledge on netgroup. The issue was 
> discovered when
> hadoop.security.group.mapping = 
> *org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback* was added 
> to core-site.xml and it failed to apply netgroup access.
>  
> Also find below debug comment to see negroup api calls in action
> tdms@casatdhdp01master01:~> hdfs dfs -ls /user/tdms
> 18/02/09 09:47:30 DEBUG util.Shell: setsid exited with exit code 0
> 18/02/09 09:47:30 DEBUG conf.Configuration: parsing URL 
> jar:file:/usr/hdp/2.5.3.0-37/hadoop/hadoop-common-2.7.3.2.5.3.0-37.jar!/core-default.xml
> 18/02/09 09:47:30 DEBUG conf.Configuration: parsing input stream 
> sun.net.www.protocol.jar.JarURLConnection$JarURLInputStream@78186a70
> 18/02/09 09:47:30 DEBUG conf.Configuration: parsing URL 
> file:/etc/hadoop/2.5.3.0-37/0/core-site.xml
> 18/02/09 09:47:30 DEBUG conf.Configuration: parsing input stream 
> java.io.BufferedInputStream@15d9bc04
> 18/02/09 09:47:30 DEBUG security.SecurityUtil: Setting 
> hadoop.security.token.service.use_ip to true
> 18/02/09 09:47:30 DEBUG util.KerberosName: Kerberos krb5 configuration not 
> found, setting default realm to empty
> 18/02/09 09:47:30 DEBUG security.Groups:  Creating new Groups object
> 18/02/09 09:47:30 DEBUG util.NativeCodeLoader: Trying to load the 
> custom-built native-hadoop library...
> 18/02/09 09:47:30 DEBUG util.NativeCodeLoader: Loaded the native-hadoop 
> library
> 18/02/09 09:47:30 DEBUG security.JniBasedUnixGroupsMapping: Using 
> JniBasedUnixGroupsMapping for Group resolution
> 18/02/09 09:47:30 DEBUG security.JniBasedUnixGroupsNetgroupMapping: Using 
> JniBasedUnixGroupsNetgroupMapping for Netgroup resolution
> 18/02/09 09:47:30 DEBUG 
> security.JniBasedUnixGroupsNetgroupMappingWithFallback: Group mapping 
> impl=org.apache.hadoop.security.JniBasedUnixGroupsNetgroupMapping
> 18/02/09 09:47:30 DEBUG security.Groups: Group mapping 
> impl=org.apache.hadoop.security.JniBasedUnixGroupsNetgroupMappingWithFallback;
>  cacheTimeout=300000; warningDeltaMs=5000
> 18/02/09 09:47:30 DEBUG security.UserGroupInformation: hadoop login
> 18/02/09 09:47:30 DEBUG security.UserGroupInformation: hadoop login commit
> 18/02/09 09:47:30 DEBUG security.UserGroupInformation: using local 
> user:UnixPrincipal: tdms
> 18/02/09 09:47:30 DEBUG security.UserGroupInformation: Using user: 
> "UnixPrincipal: tdms" with name tdms
> 18/02/09 09:47:30 DEBUG security.UserGroupInformation: User entry: "tdms"
> 18/02/09 09:47:30 DEBUG security.UserGroupInformation: UGI loginUser:tdms 
> (auth:SIMPLE)
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to