Thanks for your review. I will rebase the rather old patch and update it according to your comments.
1. I re-thought about it, and would think it might be not very necessary and so appropriate to introduce domain here, since we don't have the chance to get any domain attribute from user subject yet due to current authentication mechanism limitation. How about remove domain stuff in the old patch?
2. The core of this JIRA is to support multiple user groups mapping providers. So how about the logic would you think, assuming there're two providers: shellProvider, adProvider, and a user UserX.
1) UserX's groups = groups_from_shellProvider + groups_from_adProvider;
2) UserX's groups = groups_from_shellProvider if any or groups_from_adProvider if any. If both are not empty, then the first provider listed the hadoop.security.group.mapping.providers will win.
Which one would you think is better?
3. About how to configure the providers, I extracted some properties from the patch as example. Can this work?