[
https://issues.apache.org/jira/browse/HADOOP-12505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14974642#comment-14974642
]
Chris Nauroth commented on HADOOP-12505:
----------------------------------------
I'm curious then about what is your stance on {{JniBasedUnixGroupsMapping}}.
Do you see it as a bug that it works correctly with non-Unix-compliant names?
Something else for us to consider is the severity to which tools break in the
presence of non-compliant names. For a local file system, it can break parsing
in scripts, but it can't harm permission checks, which are based on numeric
UID/GID. In Hadoop, we don't have access to a canonical UID/GID, so we rely on
the string names. (Arguably, we'd be better off with a real UID/GID, but that
would be a significant design change.) Since the bug places users into
incorrect groups (i.e. "Domain" and "Users" in the example), there is a risk of
influencing permission checks. I see this as a more severe problem and
something worthy of a bug fix.
> ShellBasedUnixGroupMapping should support group names with space
> ----------------------------------------------------------------
>
> Key: HADOOP-12505
> URL: https://issues.apache.org/jira/browse/HADOOP-12505
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Wei-Chiu Chuang
> Assignee: Wei-Chiu Chuang
>
> In a typical configuration, group name is obtained from AD through SSSD/LDAP.
> AD permits group names with space (e.g. "Domain Users").
> Unfortunately, the present implementation of ShellBasedUnixGroupMapping
> parses the output of shell command "id -Gn", and assumes group names are
> separated by space.
> This could be achieved by using a combination of shell scripts, for example,
> bash -c 'id -G weichiu | tr " " "\n" | xargs -I % getent group "%" | cut
> -d":" -f1'
> But I am still looking for a more compact form, and potentially more
> efficient one.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
