[
https://issues.apache.org/jira/browse/HADOOP-15213?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16356697#comment-16356697
]
Dhirendra Khanka commented on HADOOP-15213:
-------------------------------------------
Ok so forget Jni implementation, what about ShellBasedUnixGroupsNetgroupMapping
I tested below code on the cluster for ShellBasedUnixGroupsNetgroupMapping
{code:java}
package com.teradata;
import org.apache.hadoop.fs.*;
import org.apache.hadoop.util.GenericOptionsParser;
import java.io.IOException;
import java.util.LinkedList;
import java.util.List;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.security.*;
import org.apache.hadoop.util.Shell;
import org.apache.hadoop.util.Shell.ExitCodeException;
public class usernetgroups {
public static void main(String[] args) throws Exception {
FileSystem fs = FileSystem.get(new Configuration());
Configuration conf = new Configuration();
String[] otherArgs = new GenericOptionsParser(conf,
args).getRemainingArgs();
if (otherArgs.length != 0) {
try {
// System.out.print("ShellBasedUnixGroupsMapping
for user : "+ otherArgs[0]+"--> " );
ShellBasedUnixGroupsMapping map = new
ShellBasedUnixGroupsMapping();
// System.out.println(map.getGroups(otherArgs[0]));
//
System.out.print("ShellBasedUnixGroupsNetgroupMapping for user : "+
otherArgs[0]+"--> " );
ShellBasedUnixGroupsNetgroupMapping map1 = new
ShellBasedUnixGroupsNetgroupMapping();
//
System.out.println(map1.getGroups(otherArgs[0]).toString());
String netgroups =
getUsersForNetgroup(otherArgs[1]).toString();
System.out.println("netgroup users--> " +
netgroups);
} catch (Exception e) {
// TODO: handle exception
System.out.println(e.getMessage());
}
}
}
protected static List<String> getUsersForNetgroup(String netgroup)
throws IOException {
List<String> users = new LinkedList<String>();
// returns a string similar to this:
// group ( , user, ) ( domain, user1,
host.com )
String usersRaw =
execShellGetUserForNetgroup(netgroup);
// get rid of spaces, makes splitting much easier
// System.out.println("1 " +usersRaw);
usersRaw = usersRaw.replaceAll(" +", "");
// remove netgroup name at the beginning of the
string
usersRaw = usersRaw.replaceFirst(
netgroup.replaceFirst("@", "") + "[()]+",
"");
// System.out.println("2 " +usersRaw);
// split string into user infos
String[] userInfos = usersRaw.split("[()]+");
for(String userInfo : userInfos) {
// userInfo: xxx,user,yyy (xxx, yyy can be empty
strings)
// get rid of everything before first and after
last comma
String user = userInfo.replaceFirst("[^,]*,", "");
user = user.replaceFirst(",.*$", "");
// voila! got username!
users.add(user);
// System.out.println("user " + user);
}
return users;
}
protected static String execShellGetUserForNetgroup(final String
netgroup)
throws IOException {
String result = "";
try {
System.out.println(netgroup);
System.out.println(netgroup.substring(1));
// shell command does not expect '@' at the begining of
the group name
// result =
Shell.execCommand(Shell.getUsersForNetgroupCommand(netgroup.substring(1)));
//modified
result =
Shell.execCommand(Shell.getUsersForNetgroupCommand(netgroup));
// System.out.println("modified_result -->"+ result);
} catch (ExitCodeException e) {
// if we didn't get the group - just return empty list;
// LOG.warn("error getting users for netgroup " +
netgroup, e);
e.printStackTrace();
}
return result;
}
}
{code}
And then
hadoop jar jarfile claspath user_name netgroup_name
It works only if i get rid of substring.
> JniBasedUnixGroupsNetgroupMapping.java and
> ShellBasedUnixGroupsNetgroupMapping.java use netgroup.substring(1)
> --------------------------------------------------------------------------------------------------------------
>
> Key: HADOOP-15213
> URL: https://issues.apache.org/jira/browse/HADOOP-15213
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Environment: SUSE Linux Enterprise Server 11 (x86_64)
> VERSION = 11
> PATCHLEVEL = 3
> Reporter: Dhirendra Khanka
> Priority: Minor
>
>
> Part of the code below shown from below 2 classes
> org.apache.hadoop.security.JniBasedUnixGroupsNetgroupMapping.java
> {code:java}
> protected synchronized List<String> getUsersForNetgroup(String netgroup) {
> String[] users = null;
> try {
> // JNI code does not expect '@' at the begining of the group name
> users = getUsersForNetgroupJNI(netgroup.substring(1));
> } catch (Exception e) {
> if (LOG.isDebugEnabled()) {
> LOG.debug("Error getting users for netgroup " + netgroup, e);
> } else {
> LOG.info("Error getting users for netgroup " + netgroup +
> ": " + e.getMessage());
> }
> }
> if (users != null && users.length != 0) {
> return Arrays.asList(users);
> }
> return new LinkedList<String>();
> }{code}
> org.apache.hadoop.security.ShellBasedUnixGroupsNetgroupMapping.java
>
> {code:java}
> protected String execShellGetUserForNetgroup(final String netgroup)
> throws IOException {
> String result = "";
> try
> { // shell command does not expect '@' at the begining of the group name
> result = Shell.execCommand(
> Shell.getUsersForNetgroupCommand(netgroup.substring(1))); }
> catch (ExitCodeException e)
> { // if we didn't get the group - just return empty list; LOG.warn("error
> getting users for netgroup " + netgroup, e); }
> return result;
> }
> {code}
> The comments from the code above expect the input to contain '@' , however
> when executing the shell directly the output has the below form which does
> not contain any ampersand symbol.
> {code:java}
> :~> getent netgroup mynetgroup1
> mynetgroup1 ( , a3xsds, ) ( , beekvkl, ) ( , redcuan, ) ( ,
> uedfmst, ){code}
>
> I have created a test code and removed the substring function and then ran it
> on the cluster using hadoop jar. The code returned netgroups correctly after
> the modification. I have limited knowledge on netgroup. The issue was
> discovered when
> hadoop.security.group.mapping =
> *org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback* was added
> to core-site.xml and it failed to apply netgroup access.
>
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
