[jira] [Commented] (HDFS-7146) NFS ID/Group lookup requires SSSD enumeration on the server

Mon, 06 Oct 2014 11:36:13 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-7146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14160659#comment-14160659
 ] 

Yongjun Zhang commented on HDFS-7146:
-------------------------------------

HI [~brandonli], thanks for your comments. I just uploaded rev 03. It works 
slightly different than what you described.

1. At initialization, the map is empty
2. Both users/groups/ids are added to the map on demand (e.g. when requested), 
3. When groupId is requested for a given groupName, if the groupName is 
numerical, the full group map is loaded (this is lazy full list load I referred 
to ealier
4. Periodically update the cached maps for both user and group. What I do here 
is actually to clear the map. I imaged that some users and groups might be 
removed (for example, a user changed job), so I instead of loading anything, I 
cleared the map during this update, essentially reinitialize the map. And then 
steps 2 and 3 will be repeated

I did not change the logic when to update the map.

Would you please take a look again to see if the change makes sense to you? 
thanks a lot.
 
 

> NFS ID/Group lookup requires SSSD enumeration on the server
> -----------------------------------------------------------
>
>                 Key: HDFS-7146
>                 URL: https://issues.apache.org/jira/browse/HDFS-7146
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: nfs
>    Affects Versions: 2.6.0
>            Reporter: Yongjun Zhang
>            Assignee: Yongjun Zhang
>         Attachments: HDFS-7146.001.patch, HDFS-7146.002.allIncremental.patch, 
> HDFS-7146.003.patch
>
>
> The current implementation of the NFS UID and GID lookup works by running 
> 'getent passwd' with an assumption that it will return the entire list of 
> users available on the OS, local and remote (AD/etc.).
> This behaviour of the command is advised to be and is prevented by 
> administrators in most secure setups to avoid excessive load to the ADs 
> involved, as the # of users to be listed may be too large, and the repeated 
> requests of ALL users not present in the cache would be too much for the AD 
> infrastructure to bear.
> The NFS server should likely do lookups based on a specific UID request, via 
> 'getent passwd <UID>', if the UID does not match a cached value. This reduces 
> load on the LDAP backed infrastructure.
> Thanks [~qwertymaniac] for reporting the issue.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to