hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kai Zheng (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-8943) Support multiple group mapping providers
Date Tue, 17 Jun 2014 11:18:03 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-8943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14033668#comment-14033668
] 

Kai Zheng commented on HADOOP-8943:
-----------------------------------

Hi Brandon,

Thanks for your review. I will rebase the rather old patch and update it according to your
comments.

1. I re-thought about it, and would think it might be not very necessary and so appropriate
to introduce domain here, since we don't have the chance to get any domain attribute from
user subject yet due to current authentication mechanism limitation. How about remove domain
stuff in the old patch?

2. The core of this JIRA is to support multiple user groups mapping providers. So how about
the logic would you think, assuming there're two providers: shellProvider, adProvider, and
a user UserX.
1) UserX's groups = groups_from_shellProvider + groups_from_adProvider;
2) UserX's groups = groups_from_shellProvider if any or groups_from_adProvider if any. If
both are not empty, then  the first provider listed the hadoop.security.group.mapping.providers
will win.

Which one would you think is better?

3. About how to configure the providers, I extracted some properties from the patch as example.
Can this work?
hadoop.security.group.mapping.providers: shell4services,ad4usersX,ad4usersY
hadoop.security.group.mapping.provider.shell4services: org.apache.hadoop.security.ShellBasedUnixGroupsMapping
hadoop.security.group.mapping.provider.ad4usersX: org.apache.hadoop.security.LdapGroupsMapping
...
hadoop.security.group.mapping.provider.ad4usersX.ldap.url: adX.example.com
hadoop.security.group.mapping.provider.ad4usersY.ldap.url: adY.example.com
...


> Support multiple group mapping providers
> ----------------------------------------
>
>                 Key: HADOOP-8943
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8943
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Kai Zheng
>            Assignee: Kai Zheng
>             Fix For: 2.5.0
>
>         Attachments: HADOOP-8943.patch, HADOOP-8943.patch, HADOOP-8943.patch
>
>   Original Estimate: 504h
>  Remaining Estimate: 504h
>
>   Discussed with Natty about LdapGroupMapping, we need to improve it so that: 
> 1. It's possible to do different group mapping for different users/principals. For example,
AD user should go to LdapGroupMapping service for group, but service principals such as hdfs,
mapred can still use the default one ShellBasedUnixGroupsMapping; 
> 2. Multiple ADs can be supported to do LdapGroupMapping; 
> 3. It's possible to configure what kind of users/principals (regarding domain/realm is
an option) should use which group mapping service/mechanism.
> 4. It's possible to configure and combine multiple existing mapping providers without
writing codes implementing new one.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message