[jira] [Commented] (HADOOP-8088) User-group mapping cache incorrectly does negative caching on transient failures

Fri, 16 Mar 2012 13:12:03 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-8088?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13231574#comment-13231574
 ] 

Kihwal Lee commented on HADOOP-8088:
------------------------------------

bq. Thinking about it, it may make sense to not cache negatives at all.

I initially thought so, but was not sure about the original design goal of the 
group caching. On many systems, nscd or equivalent can do negative caching to 
reduce unnecessary network traffic to ldap server, etc. So removing the 
behavior might not be too much of concern.
                
> User-group mapping cache incorrectly does negative caching on transient 
> failures
> --------------------------------------------------------------------------------
>
>                 Key: HADOOP-8088
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8088
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.20.205.0, 0.24.0, 0.23.1, 1.0.0, 1.1.0
>            Reporter: Kihwal Lee
>             Fix For: 0.24.0, 1.1.0, 0.23.2
>
>         Attachments: hadoop-8088-branch-1.patch, hadoop-8088-trunk.patch, 
> hadoop-8088-trunk.patch
>
>
> We've seen a case where some getGroups() calls fail when the ldap server or 
> the network is having transient failures. Looking at the code, the 
> shell-based and the JNI-based implementations swallow exceptions and return 
> an empty or partial list. The caller, Groups#getGroups() adds this likely 
> empty list into the mapping cache for the user. This will function as 
> negative caching until the cache expires. I don't think we want negative 
> caching here, but even if we do, it should be intelligent enough to 
> distinguish transient failures from ENOENT. The log message in the jni-based 
> impl also needs an improvement. It should print what exception it encountered 
> instead of just saying one happened.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to