[jira] [Commented] (HADOOP-9436) NetgroupCache does not refresh membership correctly

[Kihwal Lee (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-9436?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13615663#comment-13615663
 ] 

Kihwal Lee commented on HADOOP-9436:
------------------------------------

I tried to minimize contention in the patch. From a comment section in the 
patch:

{code}
   * There are three different points where concurrent accesses happen.
   * 1) User-to-groups mapping: This is thread safe data structure, so
   *    putting and getting don't need to make them safe.
   * 2) cachedGroups: This needs to be protected from concurrent accesses.
   *    Also, the content needs to be kept in sync with 1).
   *    Synchronize on cachedGroups whenever updating mappings.
   * 3) refresh: Refresh requests need to be serialized.
   *    Caller to be synchronized on refreshLock.
   *
   * By separating into three, cache lookups are never explicitly blocked.
   * Regular cache add activities and refresh can mostly overlap. 
{code}

Improved:
* Refresh does not leave removed users in the cache.
* No more direct modification of values in the map. It wasn't thread safe.
* No more rebuild-from-scratch whenever a group is added.
* Addition of fine-grained locking.
                
> NetgroupCache does not refresh membership correctly
> ---------------------------------------------------
>
>                 Key: HADOOP-9436
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9436
>             Project: Hadoop Common
>          Issue Type: Bug
>    Affects Versions: 3.0.0, 2.0.3-alpha, 0.23.7
>            Reporter: Kihwal Lee
>            Assignee: Kihwal Lee
>         Attachments: HADOOP-9436.patch
>
>
> NetgroupCache is used to get around the problem of inability to obtain a 
> single user-to-groups mapping from netgroup. For example, the ACL code 
> pre-populates this cache, so that any user-group mapping can be resolved for 
> all groups defined in the service.
> However, the current refresh code only adds users to existing groups, so a 
> loss of group membership won't take effect. This is because the internal 
> user-groups mapping cache is never invalidated. If this is simply invalidated 
> on clear(), the cache entries will build up correctly, but user-group 
> resolution may fail during refresh, resulting in incorrectly denying accesses.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira