hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron T. Myers (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-7214) Hadoop /usr/bin/groups equivalent
Date Thu, 14 Apr 2011 22:57:05 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-7214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13020079#comment-13020079
] 

Aaron T. Myers commented on HADOOP-7214:
----------------------------------------

bq. Yes, it makes sense to let user to determine their group membership. In case of LDAP,
clients should talk to the LDAP server directly. In case of shell, it may be better to run
a separated group server/process for the clients outside the domain.

Such an architecture only serves to make the system more brittle. Why should a user or client
program be concerned with *how* the NN is configured to perform its user/group mapping? Why
is it reasonable to assume that the LDAP server configured to provide user -> group mapping
on the NN is accessible or configured from the client machine?

bq. NN is already a bottleneck of the system. We don't want to overload it with other functionality.

I doubt seriously this new functionality will have hardly any detectable performance impact
on the NN. The NN already performs this user -> group mapping literally every time a file
or directory access is performed. It caches the results of these aggressively. A few users
occasionally running this command should only negligibly increase load on the NN.

bq. I think we need some helps here. Could any security expert comment on this?

What security concerns do you still have regarding this patch? These concerns seem mostly
focused around the implementation, not on the security semantics.

> Hadoop /usr/bin/groups equivalent
> ---------------------------------
>
>                 Key: HADOOP-7214
>                 URL: https://issues.apache.org/jira/browse/HADOOP-7214
>             Project: Hadoop Common
>          Issue Type: New Feature
>    Affects Versions: 0.23.0
>            Reporter: Aaron T. Myers
>            Assignee: Aaron T. Myers
>         Attachments: hadoop-7214.0.txt, hadoop-7214.1.txt, hadoop-7214.2.txt, hadoop-7214.3.txt,
hadoop-7214.4.txt
>
>
> Since user -> groups resolution is done on the NN and JT machines, there should be
a way for users to determine what groups they're a member of from the NN's and JT's perspective.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message