hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From FROHNER Ákos (JIRA) <j...@apache.org>
Subject [jira] Commented: (HADOOP-4656) Add a user to groups mapping service
Date Mon, 14 Sep 2009 15:52:57 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-4656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12755035#action_12755035
] 

FROHNER Ákos commented on HADOOP-4656:
--------------------------------------

Please consider passing the authentication context to the getGroups() method,
as it might be easier to retrieve the associated groups using that information, 
then based only on the username.

For example in POSIX environments it is faster to do a lookup based on the 
numeric UID, than based on the username.

If you are using Kerberos with PAC, then the authentication context may already
contain a list of associated groups:
http://k5wiki.kerberos.org/wiki/Projects/PAC_and_principal_APIs

There is a similar solution based on X509 authentication, where the associated
list of groups is embedded into the authentication context.

> Add a user to groups mapping service 
> -------------------------------------
>
>                 Key: HADOOP-4656
>                 URL: https://issues.apache.org/jira/browse/HADOOP-4656
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 0.19.0
>            Reporter: Arun C Murthy
>            Assignee: Arun C Murthy
>         Attachments: HADOOP-4656_0_20090108.patch
>
>
> Currently the IPC client sends the UGI which contains the user/group information for
the Server. However this represents the groups for the user on the client-end. The more pertinent
mapping from user to groups is actually the one seen by the Server. Hence the client should
only send the user and we should add a 'group mapping service' so that the Server can query
it for the mapping.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message