Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-12413

AccessControlList should avoid calling getGroupNames in isUserInList with empty groups.

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.7.0
    • Fix Version/s: 2.8.0, 2.7.2, 2.6.3, 3.0.0-alpha1
    • Component/s: security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      AccessControlList should avoid calling getGroupNames in isUserInList with empty groups. Currently AccessControlList will call ugi.getGroupNames() in isUserInList even if groups is empty. ugi.getGroupNames() is an expensive operation which call shell script id -gn <USER> && id -Gn <user> to get the list of groups. For example,
      ServiceAuthorizationManager#authorize will call blocked ACL acls[1].isUserAllowed(user) to check the user permission. The default value for blocked ACL is empty

          String defaultBlockedAcl = conf.get(   CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_BLOCKED_ACL, "");
      

      So every time authorize is called, getGroupNames may be called.
      It also caused the following warning message:

      2015-09-08 14:55:34,236 WARN [Socket Reader #1 for port 52715] org.apache.hadoop.security.ShellBasedUnixGroupsMapping: got exception trying to get groups for user job_1441722221553_0005: id: job_1441722221553_0005: No such user
      2015-09-08 14:55:34,236 WARN [Socket Reader #1 for port 52715] org.apache.hadoop.security.UserGroupInformation: No groups available for user job_1441722221553_0005
      2015-09-08 14:55:34,236 INFO [Socket Reader #1 for port 52715] SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization successful for job_1441722221553_0005 (auth:TOKEN) for protocol=interface org.apache.hadoop.mapred.TaskUmbilicalProtocol
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                zxu zhihai xu
                Reporter:
                zxu zhihai xu
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: