hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brandon Li (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-8943) Support multiple group mapping providers
Date Mon, 23 Jun 2014 21:20:25 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-8943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14041330#comment-14041330
] 

Brandon Li commented on HADOOP-8943:
------------------------------------

[~drankye], sorry for the late reply. I agree the domain concept introduces unnecessary complexity.
If the mapping use case is fairly sophisticated, the user is expected to implemented their
own mapping class. 

The updated patch looks good. Some minor comments:
1. the javadoc of CompositeGroupsMapping#prepareConf is not updated
2. {quote} I checked CommonCofigurationKeysPublic, unfortunately it locates in unexpected
package.{quote}
I meant CommonConfigurationKeysPublic.HADOOP_SECURITY_GROUP_MAPPING
The package is package org.apache.hadoop.fs. 

> Support multiple group mapping providers
> ----------------------------------------
>
>                 Key: HADOOP-8943
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8943
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Kai Zheng
>            Assignee: Kai Zheng
>             Fix For: 2.5.0
>
>         Attachments: HADOOP-8943.patch, HADOOP-8943.patch, HADOOP-8943.patch, hadoop-8943-v2.patch
>
>   Original Estimate: 504h
>  Remaining Estimate: 504h
>
>   Discussed with Natty about LdapGroupMapping, we need to improve it so that: 
> 1. It's possible to do different group mapping for different users/principals. For example,
AD user should go to LdapGroupMapping service for group, but service principals such as hdfs,
mapred can still use the default one ShellBasedUnixGroupsMapping; 
> 2. Multiple ADs can be supported to do LdapGroupMapping; 
> 3. It's possible to configure what kind of users/principals (regarding domain/realm is
an option) should use which group mapping service/mechanism.
> 4. It's possible to configure and combine multiple existing mapping providers without
writing codes implementing new one.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message