hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chuan Liu (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-8455) Address user name format on domain joined Windows machines
Date Sun, 02 Jun 2013 19:34:21 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-8455?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13672653#comment-13672653

Chuan Liu commented on HADOOP-8455:

This JIRA mainly targets unseucre HADOOP; The configuration suggested by [~owen.omalley] is
for secure Hadoop, and does not apply here.

I have given this issue some new thoughts. We can solve this issue with the following two

1) If the user is a local user, remove the machine prefix and use only its user name as the
ID in Hadoop, e.g. 'Win1\Alex' and 'Win2\Alex' will both be identified as 'Alex' in Hadoop.
For service accounts on the machine, like 'NT AUTHORITY\SYSTEM', we can include the prefix
as there is no machine name in the ID.

2) If the user is a domain user, use the full name include domain as its ID, e.g. 'Redmond\Alex'
will be used in Hadoop to represent the user.

One important scenario for unsecure Hadoop is to allow local users of the same name to run
Hadoop cluster without a domain controller. For example, users can create local user 'Alex'
on the two machines 'Win1' and 'Win2', and run Hadoop under the local user 'Alex'. With rule
1) above, we can be consistent with this usage because 'Win1\Alex' and 'Win2\Alex' will be
recognized as 'Alex' in Hadoop.

With rule 2), we can distinguish local user and domain user in Hadoop thus solve the issue
of this JIRA. Since domain user representation is consistent across machines, the domain user
scenarios will not be affected. 

> Address user name format on domain joined Windows machines
> ----------------------------------------------------------
>                 Key: HADOOP-8455
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8455
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: native
>    Affects Versions: 1.1.0, 0.24.0
>            Reporter: Chuan Liu
>            Assignee: Ivan Mitic
>            Priority: Minor
> For a domain joined Windows machine, user name along is not a unique identifier. User
name plus domain name is need in order to unique identify the user. For example, we can have
both ‘Win1\Alex’ and ‘Redmond\Alex’ on a computer named Win1 that joins Redmond domain.
In order to avoid ambiguity, ‘whoami’ on Windows and the new ‘winutils’ created in
[Hadoop-8235|https://issues.apache.org/jira/browse/HADOOP-8235] both return [domain]\[username]
as the username. In Hadoop, we only use user name right now. This may lead to some inconsistency,
and production bugs if users of the same name exist on the machine.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message