[
https://issues.apache.org/jira/browse/HADOOP-12413?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14744977#comment-14744977
]
Hadoop QA commented on HADOOP-12413:
------------------------------------
\\
\\
| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | pre-patch | 22m 0s | Pre-patch trunk compilation is
healthy. |
| {color:green}+1{color} | @author | 0m 0s | The patch does not contain any
@author tags. |
| {color:green}+1{color} | tests included | 0m 0s | The patch appears to
include 1 new or modified test files. |
| {color:green}+1{color} | javac | 10m 22s | There were no new javac warning
messages. |
| {color:green}+1{color} | javadoc | 13m 13s | There were no new javadoc
warning messages. |
| {color:green}+1{color} | release audit | 0m 28s | The applied patch does
not increase the total number of release audit warnings. |
| {color:green}+1{color} | checkstyle | 1m 50s | There were no new checkstyle
issues. |
| {color:green}+1{color} | whitespace | 0m 0s | The patch has no lines that
end in whitespace. |
| {color:green}+1{color} | install | 2m 14s | mvn install still works. |
| {color:green}+1{color} | eclipse:eclipse | 0m 42s | The patch built with
eclipse:eclipse. |
| {color:green}+1{color} | findbugs | 2m 25s | The patch does not introduce
any new Findbugs (version 3.0.0) warnings. |
| {color:red}-1{color} | common tests | 27m 16s | Tests failed in
hadoop-common. |
| | | 80m 34s | |
\\
\\
|| Reason || Tests ||
| Failed unit tests | hadoop.fs.TestLocalFsFCStatistics |
| | hadoop.security.token.delegation.web.TestWebDelegationToken |
\\
\\
|| Subsystem || Report/Notes ||
| Patch URL |
http://issues.apache.org/jira/secure/attachment/12755908/HADOOP-12413.000.patch
|
| Optional Tests | javadoc javac unit findbugs checkstyle |
| git revision | trunk / d777757 |
| hadoop-common test log |
https://builds.apache.org/job/PreCommit-HADOOP-Build/7662/artifact/patchprocess/testrun_hadoop-common.txt
|
| Test Results |
https://builds.apache.org/job/PreCommit-HADOOP-Build/7662/testReport/ |
| Java | 1.7.0_55 |
| uname | Linux asf905.gq1.ygridcore.net 3.13.0-36-lowlatency #63-Ubuntu SMP
PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux |
| Console output |
https://builds.apache.org/job/PreCommit-HADOOP-Build/7662/console |
This message was automatically generated.
> AccessControlList should avoid calling getGroupNames in isUserInList with
> empty groups.
> ---------------------------------------------------------------------------------------
>
> Key: HADOOP-12413
> URL: https://issues.apache.org/jira/browse/HADOOP-12413
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 2.7.0
> Reporter: zhihai xu
> Assignee: zhihai xu
> Attachments: HADOOP-12413.000.patch
>
>
> {{AccessControlList}} should avoid calling {{getGroupNames}} in
> {{isUserInList}} with empty {{groups}}. Currently {{AccessControlList}} will
> call {{ugi.getGroupNames()}} in {{isUserInList}} even if {{groups}} is empty.
> {{ugi.getGroupNames()}} is an expensive operation which call shell script
> {{id -gn <USER> && id -Gn <user>}} to get the list of groups. For example,
> {{ServiceAuthorizationManager#authorize}} will call blocked ACL
> {{acls[1].isUserAllowed(user)}} to check the user permission. The default
> value for blocked ACL is empty
> {code}
> String defaultBlockedAcl = conf.get(
> CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_BLOCKED_ACL,
> "");
> {code}
> So every time {{authorize}} is called, {{getGroupNames}} may be called.
> It also caused the following warning message:
> {code}
> 2015-09-08 14:55:34,236 WARN [Socket Reader #1 for port 52715]
> org.apache.hadoop.security.ShellBasedUnixGroupsMapping: got exception trying
> to get groups for user job_1441722221553_0005: id: job_1441722221553_0005: No
> such user
> 2015-09-08 14:55:34,236 WARN [Socket Reader #1 for port 52715]
> org.apache.hadoop.security.UserGroupInformation: No groups available for user
> job_1441722221553_0005
> 2015-09-08 14:55:34,236 INFO [Socket Reader #1 for port 52715]
> SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager:
> Authorization successful for job_1441722221553_0005 (auth:TOKEN) for
> protocol=interface org.apache.hadoop.mapred.TaskUmbilicalProtocol
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
