[jira] [Commented] (HADOOP-11683) Need a plugin API to translate long principal names to local OS user names arbitrarily

Mon, 09 Mar 2015 03:24:58 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-11683?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14352754#comment-14352754
 ] 

Sunny Cheung commented on HADOOP-11683:
---------------------------------------

{quote}
I am assuming you are talking about :

[email protected] -> user123
[email protected] -> user789
...
possibly some 200k such entries
{quote}

[~asuresh]: Yes, thanks.

bq. UserGroupsMappingProvider pluggable interface is a good example, which even 
allows to query external LDAP server to perform user->groups mapping. We might 
borrow similar idea from it for this.

[~drankye]: Thanks. Studying class GroupMappingServiceProvider and 
CompositeGroupsMapping (for hadoop.security.group.mapping).

bq. To allow such an interface for the mapping would also allow to implement 
the translation rules in modular approach, even not by user code. 

What do we mean by modular approach vs. user code here?

bq. I understand the NameNode concern, yes it's possible to involve overhead 
for NN if user provided plugin performs the mapping not fast every time. To 
alleviate the pain, we could consider to support cache of the mapping results 
in the framework.

Perhaps the plugin could forward requests to a local daemon with cache 
capability (just like nscd for name service requests) if we have concern in 
performance.

> Need a plugin API to translate long principal names to local OS user names 
> arbitrarily
> --------------------------------------------------------------------------------------
>
>                 Key: HADOOP-11683
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11683
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Sunny Cheung
>
> We need a plugin API to translate long principal names (e.g. 
> [email protected]) to local OS user names (e.g. user123456) arbitrarily.
> For some organizations the name translation is straightforward (e.g. 
> [email protected] to john_doe), and the hadoop.security.auth_to_local 
> configurable mapping is sufficient to resolve this (see HADOOP-6526). 
> However, in some other cases the name translation is arbitrary and cannot be 
> generalized by a set of translation rules easily.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to