Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
Reply-To: common-issues@hadoop.apache.org
Date: Thu, 14 Apr 2011 22:20:05 +0000 (UTC)
From: "Aaron T. Myers (JIRA)" <jira@apache.org>
To: common-issues@hadoop.apache.org
Message-ID: 
 <1978670188.59067.1302819605917.JavaMail.tomcat@hel.zones.apache.org>
In-Reply-To: 
 <1243264568.21599.1301502005765.JavaMail.tomcat@hel.zones.apache.org>
Subject: [jira] [Commented] (HADOOP-7214) Hadoop /usr/bin/groups equivalent
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


    [ https://issues.apache.org/jira/browse/HADOOP-7214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13020062#comment-13020062 ] 

Aaron T. Myers commented on HADOOP-7214:
----------------------------------------

bq. In ShellBasedUnixGroupsMapping, is it valid to assume that they are in the same group administrative domain?

Not necessarily, but as I've mentioned previously, Hadoop already exposes this information, just not easily. Allen pointed out that it's available as part of the job conf. I also described a way a user could deduce what groups they belong to by repeatedly calling {{chgrp}}.

My point is just that Hadoop isn't hiding this information as it stands. Hadoop makes decisions based on the groups a user belongs to, so we should make it easy for our users to find out what groups Hadoop thinks they belong to.

bq. How about introduce a separated group proxy server for the clients outside the domain?

I don't fully understand the suggestion. Could you please elaborate? Is the point that you agree that users should be able to determine their group membership, but we should use some other process that isn't the NN to do it?

bq. It seems not right to use NN as a proxy service for group resolution.

I disagree. When a user interacts with HDFS, the only thing that matters with respect to groups is what groups the NN thinks they belong to. Thus, it seems perfectly natural to me to provide a way to ask the NN "what groups do you think I belong to?" Without this, it is very difficult for a user to deduce why they were denied access to a particular file/directory.

> Hadoop /usr/bin/groups equivalent
> ---------------------------------
>
>                 Key: HADOOP-7214
>                 URL: https://issues.apache.org/jira/browse/HADOOP-7214
>             Project: Hadoop Common
>          Issue Type: New Feature
>    Affects Versions: 0.23.0
>            Reporter: Aaron T. Myers
>            Assignee: Aaron T. Myers
>         Attachments: hadoop-7214.0.txt, hadoop-7214.1.txt, hadoop-7214.2.txt, hadoop-7214.3.txt, hadoop-7214.4.txt
>
>
> Since user -> groups resolution is done on the NN and JT machines, there should be a way for users to determine what groups they're a member of from the NN's and JT's perspective.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira