[jira] [Commented] (HDFS-7146) NFS ID/Group lookup requires SSSD enumeration on the server

Mon, 06 Oct 2014 13:43:25 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-7146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14160906#comment-14160906
 ] 

Allen Wittenauer commented on HDFS-7146:
----------------------------------------

bq. If user name 123

That's not a legal Unix user name and most/all compliant useradd's will kick it 
back as invalid. FWIW, all sorts of problems happen with all numeric usernames 
if one tries to use them.  For example, if one runs 'chown 123 file' what 
permissions would be on the file?   It's perfectly reasonable for the system to 
fail in this scenario.  

bq. About "id" command

I'm -1 on using id for this, even if it works on Linux and OS X. It limits any 
future portability to systems on SysV machines where /usr/bin/id is typically 
the SysV id and not POSIX id. We've been down this road before with id in the 
pre-security days. It was a problem then and it will be a problem in the future.

(Never mind the fact that I suspect the code actually works on other operating 
systems, but we've artificially limited it for reasons which I'm unclear on.) 

tl;dr: So use getent on everything but OS X.

> NFS ID/Group lookup requires SSSD enumeration on the server
> -----------------------------------------------------------
>
>                 Key: HDFS-7146
>                 URL: https://issues.apache.org/jira/browse/HDFS-7146
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: nfs
>    Affects Versions: 2.6.0
>            Reporter: Yongjun Zhang
>            Assignee: Yongjun Zhang
>         Attachments: HDFS-7146.001.patch, HDFS-7146.002.allIncremental.patch, 
> HDFS-7146.003.patch
>
>
> The current implementation of the NFS UID and GID lookup works by running 
> 'getent passwd' with an assumption that it will return the entire list of 
> users available on the OS, local and remote (AD/etc.).
> This behaviour of the command is advised to be and is prevented by 
> administrators in most secure setups to avoid excessive load to the ADs 
> involved, as the # of users to be listed may be too large, and the repeated 
> requests of ALL users not present in the cache would be too much for the AD 
> infrastructure to bear.
> The NFS server should likely do lookups based on a specific UID request, via 
> 'getent passwd <UID>', if the UID does not match a cached value. This reduces 
> load on the LDAP backed infrastructure.
> Thanks [~qwertymaniac] for reporting the issue.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to