hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen Wittenauer (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-7146) NFS ID/Group lookup requires SSSD enumeration on the server
Date Mon, 06 Oct 2014 21:36:36 GMT

    [ https://issues.apache.org/jira/browse/HDFS-7146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14161006#comment-14161006

Allen Wittenauer commented on HDFS-7146:

bg. See HDFS-4983.

That JIRA is sort of irrelevant to the discussion since HDFS (and therefore WebHDFS) has no
such restrictions on usernames since they are published as strings. Unix does and we have
to play by its rules since that's the space this code plays.  

bq. Seems the requirement on user name varies.

Not really.  Some useradd's do not enforce the entire rule set, which is why I said "most/all".
 Some Linux distributions include a useradd facility that do not.  If you look at the upstream
Linux shadow utilities source, however, (https://github.com/shadow-maint/shadow/blob/master/libmisc/chkname.c)
you'll find that all digit usernames are not legal.  Other OSes follow similar rules in their
utilities ( e.g., Illumos: https://hg.openindiana.org/upstream/illumos/illumos-gate/file/68f95e015346/usr/src/cmd/aset/tasks/pwchk.awk
).  Just because some distributions allowed users to do incredibly dumb things doesn't mean
we need to as well.

FWIW, if you want true portability, you'll need to use the native system calls to follow whatever
rules are allowed on that machine.  Otherwise, expect to make some compatibility decisions.
 To me, this is an easy call:  all numeric usernames are super rare since they have unpredictable
results (e.g., chown).  portability > naive admins who shot themselves in the foot.

> NFS ID/Group lookup requires SSSD enumeration on the server
> -----------------------------------------------------------
>                 Key: HDFS-7146
>                 URL: https://issues.apache.org/jira/browse/HDFS-7146
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: nfs
>    Affects Versions: 2.6.0
>            Reporter: Yongjun Zhang
>            Assignee: Yongjun Zhang
>         Attachments: HDFS-7146.001.patch, HDFS-7146.002.allIncremental.patch, HDFS-7146.003.patch
> The current implementation of the NFS UID and GID lookup works by running 'getent passwd'
with an assumption that it will return the entire list of users available on the OS, local
and remote (AD/etc.).
> This behaviour of the command is advised to be and is prevented by administrators in
most secure setups to avoid excessive load to the ADs involved, as the # of users to be listed
may be too large, and the repeated requests of ALL users not present in the cache would be
too much for the AD infrastructure to bear.
> The NFS server should likely do lookups based on a specific UID request, via 'getent
passwd <UID>', if the UID does not match a cached value. This reduces load on the LDAP
backed infrastructure.
> Thanks [~qwertymaniac] for reporting the issue.

This message was sent by Atlassian JIRA

View raw message