Partial group resolution failure should not result in user lockout

If a Hadoop cluster is configured to use ShellBasedUnixGroupsMapping for user/group name mapping, occasionally some group names may become unresolvable (for example, using SSSD).

ShellBasedUnixGroupsMapping uses shell command "id -Gn" to retrieve the group name of a user; however, the existing logic assumes that if the exit code of the command is non-zero, the user has no group name at all. The shell command in Linux returns non-zero exit code if a group name is not resolvable. Unfortunately, it is possible that a user belongs to multiple groups, and any partial failure in group name resolution would denied the user's access.

On the other hand, the JNI implementation (JniBasedUnixGroupsMapping) is more resilient. If any group name is unresolvable, it is simply ignored, and whatever are resolvable are returned.

It is arguable that if the group name is not resolvable, the administrator should configure their directory/authentication service correctly, and Hadoop is in no position to handle it, but since the existing unit tests assume the output of JNI-based and shell-based implementation are the same, we should improve the shell-based group name resolution, and make it as resilient as the JNI-based one.