Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.7.0
-
None
-
Reviewed
Description
AccessControlList should avoid calling getGroupNames in isUserInList with empty groups. Currently AccessControlList will call ugi.getGroupNames() in isUserInList even if groups is empty. ugi.getGroupNames() is an expensive operation which call shell script id -gn <USER> && id -Gn <user> to get the list of groups. For example,
ServiceAuthorizationManager#authorize will call blocked ACL acls[1].isUserAllowed(user) to check the user permission. The default value for blocked ACL is empty
String defaultBlockedAcl = conf.get( CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_BLOCKED_ACL, "");
So every time authorize is called, getGroupNames may be called.
It also caused the following warning message:
2015-09-08 14:55:34,236 WARN [Socket Reader #1 for port 52715] org.apache.hadoop.security.ShellBasedUnixGroupsMapping: got exception trying to get groups for user job_1441722221553_0005: id: job_1441722221553_0005: No such user 2015-09-08 14:55:34,236 WARN [Socket Reader #1 for port 52715] org.apache.hadoop.security.UserGroupInformation: No groups available for user job_1441722221553_0005 2015-09-08 14:55:34,236 INFO [Socket Reader #1 for port 52715] SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization successful for job_1441722221553_0005 (auth:TOKEN) for protocol=interface org.apache.hadoop.mapred.TaskUmbilicalProtocol
Attachments
Attachments
Issue Links
- relates to
-
MAPREDUCE-4329 security.task.umbilical.protocol.acl should not be configurable
-
- Open
-