[
https://issues.apache.org/jira/browse/HADOOP-12505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14974671#comment-14974671
]
Allen Wittenauer commented on HADOOP-12505:
-------------------------------------------
bq. I'm curious then about what is your stance on JniBasedUnixGroupsMapping. Do
you see it as a bug that it works correctly with non-Unix-compliant names?
Yes, because it means unpredictable behavior. Unpredictable behavior almost
always turns into a security hole. It's trivial to construct a group that turns
into ../.. (or whatever) in the path structure if I'm interpreting the output
of hadoop fs -ls. That's very very bad. (that said: it'd be an awesome crack.
Change the default user's group and watch everyone nuke their own files...)
bq. In Hadoop, we don't have access to a canonical UID/GID,
The NFS folks added some code to do it, but didn't really integrate it
correctly. Expedience always trumps correctness. :(
> ShellBasedUnixGroupMapping should support group names with space
> ----------------------------------------------------------------
>
> Key: HADOOP-12505
> URL: https://issues.apache.org/jira/browse/HADOOP-12505
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Wei-Chiu Chuang
> Assignee: Wei-Chiu Chuang
>
> In a typical configuration, group name is obtained from AD through SSSD/LDAP.
> AD permits group names with space (e.g. "Domain Users").
> Unfortunately, the present implementation of ShellBasedUnixGroupMapping
> parses the output of shell command "id -Gn", and assumes group names are
> separated by space.
> This could be achieved by using a combination of shell scripts, for example,
> bash -c 'id -G weichiu | tr " " "\n" | xargs -I % getent group "%" | cut
> -d":" -f1'
> But I am still looking for a more compact form, and potentially more
> efficient one.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
