[
https://issues.apache.org/jira/browse/HADOOP-12468?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Wei-Chiu Chuang updated HADOOP-12468:
-------------------------------------
Attachment: HADOOP-12468.004.patch
Rev4 is a complete rewrite to address several concerns:
(1) Primary group is place at the first of all groups.
(2) Support numeric group names
by adopting Harsh's suggestion. If some group names are not resolvable, get the
list of group id, and compare them one by one. For each group name/id pair, if
both are the same, regard it as not resolved; otherwise, put the name in the
list of group names.
This support of numeric group name is still not complete: it does not support
Windows; also, if some group names are not resolved, and some group names are
numeric, and also the group name is the same as the group id, they will be
discarded. But this case should be extremely rare.
Ultimately, I think we should consider support a wider range of character
subset for group/user names as defined by POSIX ("Portable Operating System
Interface for Unix") standard (IEEE Standard 1003.1 2008) which includes:
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
a b c d e f g h i j k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9 . _ -
(The <hyphen> character should not be used as the first character of a portable
user name)
> Partial group resolution failure should not result in user lockout
> ------------------------------------------------------------------
>
> Key: HADOOP-12468
> URL: https://issues.apache.org/jira/browse/HADOOP-12468
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.6.1
> Environment: Linux
> Reporter: Wei-Chiu Chuang
> Assignee: Wei-Chiu Chuang
> Priority: Minor
> Attachments: HADOOP-12468.001.patch, HADOOP-12468.002.patch,
> HADOOP-12468.003.patch, HADOOP-12468.004.patch
>
>
> If a Hadoop cluster is configured to use ShellBasedUnixGroupsMapping for
> user/group name mapping, occasionally some group names may become
> unresolvable (for example, using SSSD).
> ShellBasedUnixGroupsMapping uses shell command "id -Gn" to retrieve the group
> name of a user; however, the existing logic assumes that if the exit code of
> the command is non-zero, the user has no group name at all. The shell command
> in Linux returns non-zero exit code if a group name is not resolvable.
> Unfortunately, it is possible that a user belongs to multiple groups, and any
> partial failure in group name resolution would denied the user's access.
> On the other hand, the JNI implementation (JniBasedUnixGroupsMapping) is more
> resilient. If any group name is unresolvable, it is simply ignored, and
> whatever are resolvable are returned.
> It is arguable that if the group name is not resolvable, the administrator
> should configure their directory/authentication service correctly, and Hadoop
> is in no position to handle it, but since the existing unit tests assume the
> output of JNI-based and shell-based implementation are the same, we should
> improve the shell-based group name resolution, and make it as resilient as
> the JNI-based one.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
