hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen Wittenauer (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-7146) NFS ID/Group lookup requires SSSD enumeration on the server
Date Fri, 26 Sep 2014 22:49:34 GMT

    [ https://issues.apache.org/jira/browse/HDFS-7146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14150146#comment-14150146

Allen Wittenauer commented on HDFS-7146:

A quick primer on OS X naming services....

Apple uses a system called Directory Services.  [dscl = Directory Services Command Line (utility)]
 It's based upon NextStep's NetInfo idea where objects are organized in a pseudo-directory
layout with certain top level structures being an amalgamation of all of the services. So,
for example, if a system is configured with LDAP and Files,  /Users will be /etc/passwd +
LDAP ou=people (or whatever).  But you can specify /LDAPv3/server/Users to get specifically
the LDAP part.  This is similar to how nsswitch and sssd works on other OSes, but with more

This used to be a lot easier, but now if you go through System Preferences -> Users &
Groups -> Login Options -> Network Account Server-> Join... you'll get to Directory
Utility which allows you to add multiple sources for authentication and other naming services.

(I've been doing this stuff for way too long. *sigh*)

> NFS ID/Group lookup requires SSSD enumeration on the server
> -----------------------------------------------------------
>                 Key: HDFS-7146
>                 URL: https://issues.apache.org/jira/browse/HDFS-7146
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: nfs
>    Affects Versions: 2.6.0
>            Reporter: Yongjun Zhang
>            Assignee: Yongjun Zhang
> The current implementation of the NFS UID and GID lookup works by running 'getent passwd'
with an assumption that it will return the entire list of users available on the OS, local
and remote (AD/etc.).
> This behaviour of the command is advised to be and is prevented by administrators in
most secure setups to avoid excessive load to the ADs involved, as the # of users to be listed
may be too large, and the repeated requests of ALL users not present in the cache would be
too much for the AD infrastructure to bear.
> The NFS server should likely do lookups based on a specific UID request, via 'getent
passwd <UID>', if the UID does not match a cached value. This reduces load on the LDAP
backed infrastructure.
> Thanks [~qwertymaniac] for reporting the issue.

This message was sent by Atlassian JIRA

View raw message