hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wei-Chiu Chuang (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-12468) Partial group resolution failure should not result in user lockout
Date Thu, 29 Oct 2015 23:55:27 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-12468?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Wei-Chiu Chuang updated HADOOP-12468:
-------------------------------------
    Attachment: HADOOP-12468.004.patch

Rev4 is a complete rewrite to address several concerns:
(1) Primary group is place at the first of all groups.
(2) Support numeric group names
by adopting Harsh's suggestion. If some group names are not resolvable, get the list of group
id, and compare them one by one. For each group name/id pair, if both are the same, regard
it as not resolved; otherwise, put the name in the list of group names.

This support of numeric group name is still not complete: it does not support Windows; also,
if some group names are not resolved, and some group names are numeric, and also the group
name is the same as the group id, they will be discarded. But this case should be extremely
rare.

Ultimately, I think we should consider support a wider range of character subset for group/user
names as defined by POSIX ("Portable Operating System Interface for Unix") standard (IEEE
Standard 1003.1 2008) which includes:
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
a b c d e f g h i j k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9 . _ -
(The <hyphen> character should not be used as the first character of a portable user
name)

> Partial group resolution failure should not result in user lockout
> ------------------------------------------------------------------
>
>                 Key: HADOOP-12468
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12468
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.6.1
>         Environment: Linux
>            Reporter: Wei-Chiu Chuang
>            Assignee: Wei-Chiu Chuang
>            Priority: Minor
>         Attachments: HADOOP-12468.001.patch, HADOOP-12468.002.patch, HADOOP-12468.003.patch,
HADOOP-12468.004.patch
>
>
> If a Hadoop cluster is configured to use ShellBasedUnixGroupsMapping for user/group name
mapping, occasionally some group names may become unresolvable (for example, using SSSD).

> ShellBasedUnixGroupsMapping uses shell command "id -Gn" to retrieve the group name of
a user; however, the existing logic assumes that if the exit code of the command is non-zero,
the user has no group name at all. The shell command in Linux returns non-zero exit code if
a group name is not resolvable. Unfortunately, it is possible that a user belongs to multiple
groups, and any partial failure in group name resolution would denied the user's access.
> On the other hand, the JNI implementation (JniBasedUnixGroupsMapping) is more resilient.
If any group name is unresolvable, it is simply ignored, and whatever are resolvable are returned.
> It is arguable that if the group name is not resolvable, the administrator should configure
their directory/authentication service correctly, and Hadoop is in no position to handle it,
but since the existing unit tests assume the output of JNI-based and shell-based implementation
are the same, we should improve the shell-based group name resolution, and make it as resilient
as the JNI-based one.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message