[jira] [Commented] (HDFS-7146) NFS ID/Group lookup requires SSSD enumeration on the server

Mon, 06 Oct 2014 11:44:40 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-7146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14160678#comment-14160678
 ] 

Yongjun Zhang commented on HDFS-7146:
-------------------------------------

Hi [~aw],

Thanks for the info you provided. Here is what the comment says (man getent):

{code}
group     When  no key is provided, use setgrent(3), getgrent(3), and 
endgrent(3) to enumerate the group database.  When one or more key arguments 
are provided, pass each
                    numeric key to getgrgid(3) and each nonnumeric key to 
getgrnam(3) and display the result.

passwd    When no key is provided, use setpwent(3), getpwent(3), and 
endpwent(3) to enumerate the passwd database.  When one or more key arguments 
are provided, pass each
                    numeric key to getpwuid(3) and each nonnumeric key to 
getpwnam(3) and display the result.
{code}

If user name 123 has uid 456, and we do "getent passwd 123", it will think 123 
is uid, and search for user with uid 123, which may not exist, this is when we 
get back nothing.

About "id" command, I tested it on centos and mac (thanks for 
[[email protected]]'s help), would you please comment whether it's good enough 
and what could be missed? The nfs code is said to support linux and mac only.

Thanks.




> NFS ID/Group lookup requires SSSD enumeration on the server
> -----------------------------------------------------------
>
>                 Key: HDFS-7146
>                 URL: https://issues.apache.org/jira/browse/HDFS-7146
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: nfs
>    Affects Versions: 2.6.0
>            Reporter: Yongjun Zhang
>            Assignee: Yongjun Zhang
>         Attachments: HDFS-7146.001.patch, HDFS-7146.002.allIncremental.patch, 
> HDFS-7146.003.patch
>
>
> The current implementation of the NFS UID and GID lookup works by running 
> 'getent passwd' with an assumption that it will return the entire list of 
> users available on the OS, local and remote (AD/etc.).
> This behaviour of the command is advised to be and is prevented by 
> administrators in most secure setups to avoid excessive load to the ADs 
> involved, as the # of users to be listed may be too large, and the repeated 
> requests of ALL users not present in the cache would be too much for the AD 
> infrastructure to bear.
> The NFS server should likely do lookups based on a specific UID request, via 
> 'getent passwd <UID>', if the UID does not match a cached value. This reduces 
> load on the LDAP backed infrastructure.
> Thanks [~qwertymaniac] for reporting the issue.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to