hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kai Zheng (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-9134) Unified server side user groups mapping service
Date Tue, 11 Dec 2012 22:45:21 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-9134?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13529412#comment-13529412
] 

Kai Zheng commented on HADOOP-9134:
-----------------------------------

Currently user group mapping service can only be used as client part of codes in clients,
which can cause issues as follows.
1. Groups mapping mismatch. This often occurs due to different environments between client
host and server(NameNode) host. By default ShellBasedGroupMapping is used or the like, but
OS users with their groups can be different on different hosts. When this happens it's often
very confusing for many new users.

2. A headache for management. User group mapping service as a basic facility for various ecosystem
component such as MapReduce, HBase, Hive and so on, should be consistent in configurations
and the behavior or result should be the same on all relevant nodes. If not authorization
issues will be thrown. Such issues can often be seen Hive community. Thus it's required to
share/maintain the same set of related configurations on all nodes, but in practice this can
cause some other issues, like 3.

3. Security. User with its groups regards identity store and management, which often introduces
some credential stuffs. For now LdapGroupMapping can be used for AD/LDAP backend, which needs
to configure user password, keystore password and etc in plaintext. Such info shouldn't be
exposed to all the world.
                
> Unified server side user groups mapping service
> -----------------------------------------------
>
>                 Key: HADOOP-9134
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9134
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.0.3-alpha
>            Reporter: Kai Zheng
>
> This proposes to provide/expose the server side user group mapping service in NameNode
to clients so that user group mapping can be kept in the single place and thus unified in
all nodes and clients.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message