Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-12468

Partial group resolution failure should not result in user lockout

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • 2.6.1
    • 2.8.0, 3.0.0-alpha1
    • security
    • None
    • Linux

    • Reviewed

    Description

      If a Hadoop cluster is configured to use ShellBasedUnixGroupsMapping for user/group name mapping, occasionally some group names may become unresolvable (for example, using SSSD).

      ShellBasedUnixGroupsMapping uses shell command "id -Gn" to retrieve the group name of a user; however, the existing logic assumes that if the exit code of the command is non-zero, the user has no group name at all. The shell command in Linux returns non-zero exit code if a group name is not resolvable. Unfortunately, it is possible that a user belongs to multiple groups, and any partial failure in group name resolution would denied the user's access.

      On the other hand, the JNI implementation (JniBasedUnixGroupsMapping) is more resilient. If any group name is unresolvable, it is simply ignored, and whatever are resolvable are returned.

      It is arguable that if the group name is not resolvable, the administrator should configure their directory/authentication service correctly, and Hadoop is in no position to handle it, but since the existing unit tests assume the output of JNI-based and shell-based implementation are the same, we should improve the shell-based group name resolution, and make it as resilient as the JNI-based one.

      Attachments

        1. HADOOP-12468.001.patch
          9 kB
          Wei-Chiu Chuang
        2. HADOOP-12468.002.patch
          9 kB
          Wei-Chiu Chuang
        3. HADOOP-12468.003.patch
          10 kB
          Wei-Chiu Chuang
        4. HADOOP-12468.004.patch
          17 kB
          Wei-Chiu Chuang
        5. HADOOP-12468.005.patch
          17 kB
          Wei-Chiu Chuang
        6. HADOOP-12468.006.patch
          17 kB
          Wei-Chiu Chuang
        7. HADOOP-12468.007.patch
          17 kB
          Wei-Chiu Chuang
        8. HADOOP-12468.008.patch
          18 kB
          Wei-Chiu Chuang
        9. HADOOP-12468.009.patch
          18 kB
          Wei-Chiu Chuang
        10. HADOOP-12468.010.patch
          18 kB
          Wei-Chiu Chuang

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            weichiu Wei-Chiu Chuang
            weichiu Wei-Chiu Chuang
            Votes:
            0 Vote for this issue
            Watchers:
            12 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment