[
https://issues.apache.org/jira/browse/HADOOP-9968?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Benoy Antony updated HADOOP-9968:
---------------------------------
Attachment: HADOOP-9968.patch
Thanks [~tucu00] for the review.
Attaching a patch which takes care of [~tucu00]'s comment.
The related testcase is moved to _TestProxyGroups_ class. The testcase failure
is fixed by adopting the manual approach. (Similar to _
TestAccessControlList_). I tested it manually.
Why is this change required to use NetGroups ?
Ordinary groups can be found using a user-name as input.
In the case of netgroups, the input will be a list of groupnames. Then a _user
to groups_ map is established for all users belonging to those groups.
This can be studied by reviewing _ShellBasedUnixGroupsNetgroupMapping_ . Note
that _ShellBasedUnixGroupsNetgroupMapping_ overrides _cacheGroupsAdd_ and this
is the only way to map a set of groups to a user.
Also review _AccessControlList.buildACL_ function. It has similar requirement
and hence it calls _cacheGroupsAdd_ .
> ProxyUsers does not work with NetGroups
> ---------------------------------------
>
> Key: HADOOP-9968
> URL: https://issues.apache.org/jira/browse/HADOOP-9968
> Project: Hadoop Common
> Issue Type: Improvement
> Reporter: Benoy Antony
> Assignee: Benoy Antony
> Attachments: HADOOP-9968.patch, HADOOP-9968.patch, HADOOP-9968.patch,
> hadoop-9968-1.2.patch
>
>
> It is possible to use NetGroups for ACLs. This requires specifying the
> config property hadoop.security.group.mapping as
> org.apache.hadoop.security.JniBasedUnixGroupsNetgroupMapping or
> org.apache.hadoop.security.ShellBasedUnixGroupsNetgroupMapping.
> The authorization to proxy a user by another user is specified as a list of
> groups hadoop.proxyuser.<user-name>.groups. The Group resolution does not
> work if we are using NetGroups.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
