hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Nauroth (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-12505) ShellBasedUnixGroupMapping should support group names with space
Date Mon, 26 Oct 2015 17:48:27 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-12505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14974642#comment-14974642

Chris Nauroth commented on HADOOP-12505:

I'm curious then about what is your stance on {{JniBasedUnixGroupsMapping}}.  Do you see it
as a bug that it works correctly with non-Unix-compliant names?

Something else for us to consider is the severity to which tools break in the presence of
non-compliant names.  For a local file system, it can break parsing in scripts, but it can't
harm permission checks, which are based on numeric UID/GID.  In Hadoop, we don't have access
to a canonical UID/GID, so we rely on the string names.  (Arguably, we'd be better off with
a real UID/GID, but that would be a significant design change.)  Since the bug places users
into incorrect groups (i.e. "Domain" and "Users" in the example), there is a risk of influencing
permission checks.  I see this as a more severe problem and something worthy of a bug fix.

> ShellBasedUnixGroupMapping should support group names with space
> ----------------------------------------------------------------
>                 Key: HADOOP-12505
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12505
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Wei-Chiu Chuang
>            Assignee: Wei-Chiu Chuang
> In a typical configuration, group name is obtained from AD through SSSD/LDAP. AD permits
group names with space (e.g. "Domain Users").
> Unfortunately, the present implementation of ShellBasedUnixGroupMapping parses the output
of shell command "id -Gn", and assumes group names are separated by space.
> This could be achieved by using a combination of shell scripts, for example,
> bash -c 'id -G weichiu | tr " " "\n" | xargs -I % getent group "%" | cut -d":" -f1'
> But I am still looking for a more compact form, and potentially more efficient one.

This message was sent by Atlassian JIRA

View raw message