Amogh Margoor created IMPALA-11027:
--------------------------------------
Summary: Support for ShellBasedUnixGroupMapping for Impala's user
delegation via groups
Key: IMPALA-11027
URL: https://issues.apache.org/jira/browse/IMPALA-11027
Project: IMPALA
Issue Type: Improvement
Reporter: Amogh Margoor
When impala.doAs.user is set for user delegation, Impala checks if the
delegation is allowed or not based on either of the following:
# user mapping: Specified using
{code:java}
authorized_proxy_user_config{code}
# groups mapping: Specified using. authorized_proxy_group_config
For checking group mapping currently JNIBasedUnixGroupMapping is supported and
not ShellBasedUnixGroupMapping. Ref:
[https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/GroupsMapping.html]
This was done because of caveats that ShellBasedUnixGroupMapping spawns a new
shell command to figure out groups for 'impala.doAs.user' when group mapping is
specified. Many numerous shell commands could potentially cause issues like
resource crunch, file descriptor issues and also zombie processes. Hence it is
discouraged. However, we should support it for users that understand these
caveats well and still want to use it. One reason could be that other
components of impala might not have moved to JNI based group mapping and still
be using Shell based.
Regarding caveats few things help:
# Chances are zombie process are very low.
# Due to vfork being used we do not see too much of resource consumption
during process spawning. On memory it takes around 8KB and duration of process
is around 16-17ms.
# immediate exec after vfork would ensure other resources that might get
cloned via vfork are present for very short duration.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
