[
https://issues.apache.org/jira/browse/IMPALA-11027?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17450156#comment-17450156
]
ASF subversion and git services commented on IMPALA-11027:
----------------------------------------------------------
Commit b2c51a0cefb00eccad98d020f5b16cf18a56c979 in impala's branch
refs/heads/master from Amogh Margoor
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=b2c51a0 ]
IMPALA-11027: Adding flag to enable support for ShellBasedUnixGroupsMapping
Currently, Impala doesn't support ShellBasedUnixGroupsMapping and
ShellBasedUnixGroupsNetgroupMapping to fetch Hadoop groups as they
spawn a new process and run shell command to fetch group info.
In Impala, this would happen for every session being created
when user delegation is enabled via impala.doas.user and
authorized_proxy_group_config. It can have many gotcha's like
spawning many processes together in a highly concurrent setting,
creation of zombie processes on abrupt crashing of impalad etc.
However, not everyone in ecosystem have moved away from shell based
group mapping. For instance, in cloudera distribution many components
still rely on it. So we need a way to allow users to use shell based
mapping instead of not allowing it altogether.
This patch provides flag which would allow the support for users
that are aware about the gotchas it comes with.
Change-Id: I023f396a79f3aa27ad6ac80e91f527058a5a5470
Reviewed-on: http://gerrit.cloudera.org:8080/18019
Reviewed-by: Zoltan Borok-Nagy <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> Support for ShellBasedUnixGroupMapping for Impala's user delegation via groups
> ------------------------------------------------------------------------------
>
> Key: IMPALA-11027
> URL: https://issues.apache.org/jira/browse/IMPALA-11027
> Project: IMPALA
> Issue Type: Improvement
> Reporter: Amogh Margoor
> Assignee: Amogh Margoor
> Priority: Major
>
> When impala.doAs.user is set for user delegation, Impala checks if the
> delegation is allowed or not based on either of the following:
> # user mapping: Specified using
> {code:java}
> authorized_proxy_user_config{code}
> # groups mapping: Specified using. authorized_proxy_group_config
>
>
> For checking group mapping currently JNIBasedUnixGroupMapping is supported
> and not ShellBasedUnixGroupMapping. Ref:
> [https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/GroupsMapping.html]
> This was done because of caveats that ShellBasedUnixGroupMapping spawns a new
> shell command to figure out groups for 'impala.doAs.user' when group mapping
> is specified. Many numerous shell commands could potentially cause issues
> like resource crunch, file descriptor issues and also zombie processes. Hence
> it is discouraged. However, we should support it for users that understand
> these caveats well and still want to use it. One reason could be that other
> components of impala might not have moved to JNI based group mapping and
> still be using Shell based.
> Regarding caveats few things help:
> # Chances are zombie process are very low.
> # Due to vfork being used we do not see too much of resource consumption
> during process spawning. On memory it takes around 8KB and duration of
> process is around 16-17ms.
> # immediate exec after vfork would ensure other resources that might get
> cloned via vfork are present for very short duration.
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
