[
https://issues.apache.org/jira/browse/HADOOP-12468?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15022829#comment-15022829
]
Yongjun Zhang commented on HADOOP-12468:
----------------------------------------
Hi [~jojochuang],
Thanks for the new rev (07), it looks good, some nits, +1 after that:
* Notation "@Test" needs its own line, and add a empty line before each test
method
* Suggest to change the order of test method and the class definition used by
the test method (for each test method), so the test method appears after the
definition of the used classes.
* add one comment for TestGroupNotResolvable, stating that "There is both a
group name 9999 and a group ID 9999, this is treated as unresolvable group".
* add one comment to TestNumericGroupResolvable, stating that "There is a
numerical group 23, and there is no group name 23, thus 23 is treated as
resolvable group name".
Thanks.
> Partial group resolution failure should not result in user lockout
> ------------------------------------------------------------------
>
> Key: HADOOP-12468
> URL: https://issues.apache.org/jira/browse/HADOOP-12468
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.6.1
> Environment: Linux
> Reporter: Wei-Chiu Chuang
> Assignee: Wei-Chiu Chuang
> Priority: Minor
> Attachments: HADOOP-12468.001.patch, HADOOP-12468.002.patch,
> HADOOP-12468.003.patch, HADOOP-12468.004.patch, HADOOP-12468.005.patch,
> HADOOP-12468.006.patch, HADOOP-12468.007.patch
>
>
> If a Hadoop cluster is configured to use ShellBasedUnixGroupsMapping for
> user/group name mapping, occasionally some group names may become
> unresolvable (for example, using SSSD).
> ShellBasedUnixGroupsMapping uses shell command "id -Gn" to retrieve the group
> name of a user; however, the existing logic assumes that if the exit code of
> the command is non-zero, the user has no group name at all. The shell command
> in Linux returns non-zero exit code if a group name is not resolvable.
> Unfortunately, it is possible that a user belongs to multiple groups, and any
> partial failure in group name resolution would denied the user's access.
> On the other hand, the JNI implementation (JniBasedUnixGroupsMapping) is more
> resilient. If any group name is unresolvable, it is simply ignored, and
> whatever are resolvable are returned.
> It is arguable that if the group name is not resolvable, the administrator
> should configure their directory/authentication service correctly, and Hadoop
> is in no position to handle it, but since the existing unit tests assume the
> output of JNI-based and shell-based implementation are the same, we should
> improve the shell-based group name resolution, and make it as resilient as
> the JNI-based one.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
