hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-12413) AccessControlList should avoid calling getGroupNames in isUserInList with empty groups.
Date Tue, 15 Sep 2015 19:56:45 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-12413?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14746038#comment-14746038
] 

Hudson commented on HADOOP-12413:
---------------------------------

FAILURE: Integrated in Hadoop-Yarn-trunk-Java8 #395 (See [https://builds.apache.org/job/Hadoop-Yarn-trunk-Java8/395/])
HADOOP-12413. AccessControlList should avoid calling getGroupNames in isUserInList with empty
groups. Contributed by Zhihai Xu. (cnauroth: rev b2017d9b032af20044fdf60ddbd1575a554ccb79)
* hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/AccessControlList.java
* hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/authorize/TestAccessControlList.java
* hadoop-common-project/hadoop-common/CHANGES.txt


> AccessControlList should avoid calling getGroupNames in isUserInList with empty groups.
> ---------------------------------------------------------------------------------------
>
>                 Key: HADOOP-12413
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12413
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.7.0
>            Reporter: zhihai xu
>            Assignee: zhihai xu
>             Fix For: 2.8.0
>
>         Attachments: HADOOP-12413.000.patch
>
>
> {{AccessControlList}} should avoid calling {{getGroupNames}} in {{isUserInList}} with
empty {{groups}}. Currently {{AccessControlList}} will call {{ugi.getGroupNames()}} in {{isUserInList}}
even if {{groups}} is empty. {{ugi.getGroupNames()}} is an expensive operation which call
shell script {{id -gn <USER> && id -Gn <user>}} to get the list of groups.
For example,
> {{ServiceAuthorizationManager#authorize}} will call blocked ACL {{acls[1].isUserAllowed(user)}}
to check the user permission. The default value for blocked ACL  is empty
> {code}
>     String defaultBlockedAcl = conf.get(   CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_BLOCKED_ACL,
"");
> {code}
> So every time {{authorize}} is called, {{getGroupNames}} may be called.
> It also caused the following warning message:
> {code}
> 2015-09-08 14:55:34,236 WARN [Socket Reader #1 for port 52715] org.apache.hadoop.security.ShellBasedUnixGroupsMapping:
got exception trying to get groups for user job_1441722221553_0005: id: job_1441722221553_0005:
No such user
> 2015-09-08 14:55:34,236 WARN [Socket Reader #1 for port 52715] org.apache.hadoop.security.UserGroupInformation:
No groups available for user job_1441722221553_0005
> 2015-09-08 14:55:34,236 INFO [Socket Reader #1 for port 52715] SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager:
Authorization successful for job_1441722221553_0005 (auth:TOKEN) for protocol=interface org.apache.hadoop.mapred.TaskUmbilicalProtocol
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message