[
https://issues.apache.org/jira/browse/HDFS-7146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14167342#comment-14167342
]
Yongjun Zhang commented on HDFS-7146:
-------------------------------------
HI [~aw],
Thanks for your reply. Frankly speaking, because of the field issue
[~brandonli] described,
{quote}
Here is the problem I noticed in the field. A user has more than 70K users on
an LDAP server which configured to return no more than roughly 70K entries for
each query. NFS gateway could not load all users since it tried to get the
complete use list in one command. Therefore, some users can't access their own
files because NFS gateway can't find their mapping in the cache.
{quote}
I personally think fixing the jira here first would allow us to make better
progress. Creating a new jira to address the consolidation would allow us more
time for discussions and iterations (given the two two mechanisms and their
use cases are quite different).
I will look into the consolidation part as you suggested. Since the
infrastructure and application of the two mechanisms are quite different, I
expect it will take quite some time, and follow-up discussions.
Thanks.
> NFS ID/Group lookup requires SSSD enumeration on the server
> -----------------------------------------------------------
>
> Key: HDFS-7146
> URL: https://issues.apache.org/jira/browse/HDFS-7146
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: nfs
> Affects Versions: 2.6.0
> Reporter: Yongjun Zhang
> Assignee: Yongjun Zhang
> Attachments: HDFS-7146.001.patch, HDFS-7146.002.allIncremental.patch,
> HDFS-7146.003.patch
>
>
> The current implementation of the NFS UID and GID lookup works by running
> 'getent passwd' with an assumption that it will return the entire list of
> users available on the OS, local and remote (AD/etc.).
> This behaviour of the command is advised to be and is prevented by
> administrators in most secure setups to avoid excessive load to the ADs
> involved, as the # of users to be listed may be too large, and the repeated
> requests of ALL users not present in the cache would be too much for the AD
> infrastructure to bear.
> The NFS server should likely do lookups based on a specific UID request, via
> 'getent passwd <UID>', if the UID does not match a cached value. This reduces
> load on the LDAP backed infrastructure.
> Thanks [~qwertymaniac] for reporting the issue.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
