[
https://issues.apache.org/jira/browse/HADOOP-17467?focusedWorklogId=538105&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-538105
]
ASF GitHub Bot logged work on HADOOP-17467:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 19/Jan/21 22:22
Start Date: 19/Jan/21 22:22
Worklog Time Spent: 10m
Work Description: amahussein opened a new pull request #2627:
URL: https://github.com/apache/hadoop/pull/2627
- `cacheGroupsRefresh` introduces a race that could result in a group not
being added correctly to the set of keys in the table. The code below shows
that a concurrent thread that adds a group between lines 80-81 would not be
accounted for.
```java
78 @Override
79 public void cacheGroupsRefresh() throws IOException {
80 List<String> groups = NetgroupCache.getNetgroupNames();
81 NetgroupCache.clear();
82 cacheGroupsAdd(groups);
83 }
```
- getGroupSet is not implemented in JNIBased classes. As a result, the
netgroup data won't be retrieved from the NetgroupCache even after forcing a
manual `refresh()`. This bug was introduced by
[HADOOP-17079](https://issues.apache.org/jira/browse/HADOOP-17079)
- `NetgroupCache.isCached` is not threadSafe. The process of checking
whether a group has been cached or not can be overwhelming given the number of
users in the tables.
- In addition to the above fixed, I added a unit test to verify the code
fails in concurrent environment.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 538105)
Time Spent: 0.5h (was: 20m)
> netgroup-user does not refresh
> ------------------------------
>
> Key: HADOOP-17467
> URL: https://issues.apache.org/jira/browse/HADOOP-17467
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Ahmed Hussein
> Assignee: Ahmed Hussein
> Priority: Major
> Labels: pull-request-available
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> After the optimization in HADOOP-17079, {{JniBasedUnixGroupsNetgroupMapping}}
> does not implement {{getGroupSet}}.
> As a result, {{Groups.load()}} load the cache calling {{fetchGroupSet}}
> which got
> to the superclass {{JniBasedUnixGroupsMapping}}.
> In other words, the groups mapping will never fetch from {{NetgroupCache}}.
> This alters the behavior of the implementation. Is there a reason to bypass
> loading. CC: [~xyao]
> There is potential concurrency bug in the {{NetgroupCache}} implementation.
> {{NetgroupCache}} is static. When ACL is built, its groups will be added to
> the {{NetgroupCache}}.
> A {{-refreshUserToGroupsMappings}} forces the cache to reload the users for
> each group.
> This is done by first getting the keys, clearing the cache, then finally
> reloading the users for each group.
> The problem that the three steps are not atomic.
> Adding ACLs concurrently may take place between L80-L81
> ([JniBasedUnixGroupsNetgroupMapping#L79|https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/JniBasedUnixGroupsNetgroupMapping.java#L79]).
> This results in the loss of the most recently added group.
> Since group names are used in the JNI level, the users of that group won't
> be retrieved.
> {code:java}
> 78 @Override
> 79 public void cacheGroupsRefresh() throws IOException {
> 80 List<String> groups = NetgroupCache.getNetgroupNames();
> 81 NetgroupCache.clear();
> 82 cacheGroupsAdd(groups);
> 83 }
> {code}
> +Solution:+
> Refreshing {{NetgroupCache}} should not clear the cache keys.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
