[
https://issues.apache.org/jira/browse/HADOOP-9968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13900889#comment-13900889
]
Alejandro Abdelnur commented on HADOOP-9968:
--------------------------------------------
Got it, thx for the explanation. following the ACL pattern his seems OK.
What I don't follow is why do we need this initialization? It seems that
NetGroup membership is not resolved unless explicitly initialized for the
netgroup. Am i correct with this?
Also, digging a bit (though not introduced by this patch), it seems there is a
problem. If {{Groups.refresh()}} is called, the cache is flushed and you'll
lose all these settings. This will happen with ACLs as well.
> ProxyUsers does not work with NetGroups
> ---------------------------------------
>
> Key: HADOOP-9968
> URL: https://issues.apache.org/jira/browse/HADOOP-9968
> Project: Hadoop Common
> Issue Type: Improvement
> Reporter: Benoy Antony
> Assignee: Benoy Antony
> Attachments: HADOOP-9968.patch, HADOOP-9968.patch, HADOOP-9968.patch,
> hadoop-9968-1.2.patch
>
>
> It is possible to use NetGroups for ACLs. This requires specifying the
> config property hadoop.security.group.mapping as
> org.apache.hadoop.security.JniBasedUnixGroupsNetgroupMapping or
> org.apache.hadoop.security.ShellBasedUnixGroupsNetgroupMapping.
> The authorization to proxy a user by another user is specified as a list of
> groups hadoop.proxyuser.<user-name>.groups. The Group resolution does not
> work if we are using NetGroups.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
