[jira] [Commented] (HDFS-7146) NFS ID/Group lookup requires SSSD enumeration on the server

Fri, 26 Sep 2014 15:50:31 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-7146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14150146#comment-14150146
 ] 

Allen Wittenauer commented on HDFS-7146:
----------------------------------------

A quick primer on OS X naming services....

Apple uses a system called Directory Services.  [dscl = Directory Services 
Command Line (utility)]  It's based upon NextStep's NetInfo idea where objects 
are organized in a pseudo-directory layout with certain top level structures 
being an amalgamation of all of the services. So, for example, if a system is 
configured with LDAP and Files,  /Users will be /etc/passwd + LDAP ou=people 
(or whatever).  But you can specify /LDAPv3/server/Users to get specifically 
the LDAP part.  This is similar to how nsswitch and sssd works on other OSes, 
but with more structure.

This used to be a lot easier, but now if you go through System Preferences -> 
Users & Groups -> Login Options -> Network Account Server-> Join... you'll get 
to Directory Utility which allows you to add multiple sources for 
authentication and other naming services.

(I've been doing this stuff for way too long. *sigh*)

> NFS ID/Group lookup requires SSSD enumeration on the server
> -----------------------------------------------------------
>
>                 Key: HDFS-7146
>                 URL: https://issues.apache.org/jira/browse/HDFS-7146
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: nfs
>    Affects Versions: 2.6.0
>            Reporter: Yongjun Zhang
>            Assignee: Yongjun Zhang
>
> The current implementation of the NFS UID and GID lookup works by running 
> 'getent passwd' with an assumption that it will return the entire list of 
> users available on the OS, local and remote (AD/etc.).
> This behaviour of the command is advised to be and is prevented by 
> administrators in most secure setups to avoid excessive load to the ADs 
> involved, as the # of users to be listed may be too large, and the repeated 
> requests of ALL users not present in the cache would be too much for the AD 
> infrastructure to bear.
> The NFS server should likely do lookups based on a specific UID request, via 
> 'getent passwd <UID>', if the UID does not match a cached value. This reduces 
> load on the LDAP backed infrastructure.
> Thanks [~qwertymaniac] for reporting the issue.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to