[
https://issues.apache.org/jira/browse/HADOOP-4656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12663067#action_12663067
]
Allen Wittenauer commented on HADOOP-4656:
------------------------------------------
Groups should definitely come from asking the host OS in some form using the
Java equivalent of getgrent() and friends. [ Be aware that getgroups() is
BSD-specific and may not be available on System V, such as Solaris and HP-UX.]
Doing this via shell call out is just going to exasperate the memory problems
we already see, especially on the secondary name node that requires more memory
than the primary due to the fork of whoami/id!
It also opens up yet another security hole where any random groups command on
the name nodes path can be used to override. Not Good(tm).
> Add a user to groups mapping service
> -------------------------------------
>
> Key: HADOOP-4656
> URL: https://issues.apache.org/jira/browse/HADOOP-4656
> Project: Hadoop Core
> Issue Type: Improvement
> Components: security
> Affects Versions: 0.19.0
> Reporter: Arun C Murthy
> Assignee: Arun C Murthy
> Attachments: HADOOP-4656_0_20090108.patch
>
>
> Currently the IPC client sends the UGI which contains the user/group
> information for the Server. However this represents the groups for the user
> on the client-end. The more pertinent mapping from user to groups is actually
> the one seen by the Server. Hence the client should only send the user and we
> should add a 'group mapping service' so that the Server can query it for the
> mapping.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
