[
https://issues.apache.org/jira/browse/HADOOP-15213?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16358139#comment-16358139
]
Dhirendra Khanka commented on HADOOP-15213:
-------------------------------------------
Please provide valid references for your assertion that netgroups are meant for
service accounts. I don't mean its a bug. Its just that the implementation
should check if substring(1) = '@' if yes then use netgroups.substring(1) else
just pass netgroups.
I can show you the reference below
[https://hadoop.apache.org/docs/r2.8.0/hadoop-project-dist/hadoop-common/GroupsMapping.html]
Which states below
The groups of a user is determined by a group mapping service provider. Hadoop
supports various group mapping mechanisms, configured by the
{{hadoop.security.group.mapping}} property. Some of them, such as
{{JniBasedUnixGroupsMappingWithFallback}}, use operating systems’ group name
resolution and requires no configuration. But Hadoop also supports special
group mapping mechanisms through LDAP and composition of LDAP and operating
system group name resolution, which require additional configurations.
{{hadoop.security.group.mapping}} can be one of the following:
* *org.apache.hadoop.security.ShellBasedUnixGroupsNetgroupMapping*
This implementation is similar to {{ShellBasedUnixGroupsMapping}}, except that
it executes {color:#FF0000}{{getent netgroup}} command to get netgroup
membership.{color}
The reference link {color:#FF0000}does not in any place state that the
netgroups are meant for service accounts ACLs{color}. and Besides I dont
understand in first place why would service accounts be placed on the
netgroups. Aren't service accounts meant to be local unix accounts.
Also find below debug comment to see negroup api calls in action
{code:java}
tdms@casatdhdp01master01:~> hdfs dfs -ls /user/tdms
18/02/09 09:47:30 DEBUG util.Shell: setsid exited with exit code 0
18/02/09 09:47:30 DEBUG conf.Configuration: parsing URL
jar:file:/usr/hdp/2.5.3.0-37/hadoop/hadoop-common-2.7.3.2.5.3.0-37.jar!/core-default.xml
18/02/09 09:47:30 DEBUG conf.Configuration: parsing input stream
sun.net.www.protocol.jar.JarURLConnection$JarURLInputStream@78186a70
18/02/09 09:47:30 DEBUG conf.Configuration: parsing URL
file:/etc/hadoop/2.5.3.0-37/0/core-site.xml
18/02/09 09:47:30 DEBUG conf.Configuration: parsing input stream
java.io.BufferedInputStream@15d9bc04
18/02/09 09:47:30 DEBUG security.SecurityUtil: Setting
hadoop.security.token.service.use_ip to true
18/02/09 09:47:30 DEBUG util.KerberosName: Kerberos krb5 configuration not
found, setting default realm to empty
18/02/09 09:47:30 DEBUG security.Groups: Creating new Groups object
18/02/09 09:47:30 DEBUG util.NativeCodeLoader: Trying to load the custom-built
native-hadoop library...
18/02/09 09:47:30 DEBUG util.NativeCodeLoader: Loaded the native-hadoop library
18/02/09 09:47:30 DEBUG security.JniBasedUnixGroupsMapping: Using
JniBasedUnixGroupsMapping for Group resolution
18/02/09 09:47:30 DEBUG security.JniBasedUnixGroupsNetgroupMapping: Using
JniBasedUnixGroupsNetgroupMapping for Netgroup resolution
18/02/09 09:47:30 DEBUG
security.JniBasedUnixGroupsNetgroupMappingWithFallback: Group mapping
impl=org.apache.hadoop.security.JniBasedUnixGroupsNetgroupMapping
18/02/09 09:47:30 DEBUG security.Groups: Group mapping
impl=org.apache.hadoop.security.JniBasedUnixGroupsNetgroupMappingWithFallback;
cacheTimeout=300000; warningDeltaMs=5000
18/02/09 09:47:30 DEBUG security.UserGroupInformation: hadoop login
18/02/09 09:47:30 DEBUG security.UserGroupInformation: hadoop login commit
18/02/09 09:47:30 DEBUG security.UserGroupInformation: using local
user:UnixPrincipal: tdms
18/02/09 09:47:30 DEBUG security.UserGroupInformation: Using user:
"UnixPrincipal: tdms" with name tdms
18/02/09 09:47:30 DEBUG security.UserGroupInformation: User entry: "tdms"
18/02/09 09:47:30 DEBUG security.UserGroupInformation: UGI loginUser:tdms
(auth:SIMPLE){code}
> JniBasedUnixGroupsNetgroupMapping.java and
> ShellBasedUnixGroupsNetgroupMapping.java use netgroup.substring(1)
> --------------------------------------------------------------------------------------------------------------
>
> Key: HADOOP-15213
> URL: https://issues.apache.org/jira/browse/HADOOP-15213
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Environment: SUSE Linux Enterprise Server 11 (x86_64)
> VERSION = 11
> PATCHLEVEL = 3
> Reporter: Dhirendra Khanka
> Priority: Minor
>
>
> Part of the code below shown from below 2 classes
> org.apache.hadoop.security.JniBasedUnixGroupsNetgroupMapping.java
> {code:java}
> protected synchronized List<String> getUsersForNetgroup(String netgroup) {
> String[] users = null;
> try {
> // JNI code does not expect '@' at the begining of the group name
> users = getUsersForNetgroupJNI(netgroup.substring(1));
> } catch (Exception e) {
> if (LOG.isDebugEnabled()) {
> LOG.debug("Error getting users for netgroup " + netgroup, e);
> } else {
> LOG.info("Error getting users for netgroup " + netgroup +
> ": " + e.getMessage());
> }
> }
> if (users != null && users.length != 0) {
> return Arrays.asList(users);
> }
> return new LinkedList<String>();
> }{code}
> org.apache.hadoop.security.ShellBasedUnixGroupsNetgroupMapping.java
>
> {code:java}
> protected String execShellGetUserForNetgroup(final String netgroup)
> throws IOException {
> String result = "";
> try
> { // shell command does not expect '@' at the begining of the group name
> result = Shell.execCommand(
> Shell.getUsersForNetgroupCommand(netgroup.substring(1))); }
> catch (ExitCodeException e)
> { // if we didn't get the group - just return empty list; LOG.warn("error
> getting users for netgroup " + netgroup, e); }
> return result;
> }
> {code}
> The comments from the code above expect the input to contain '@' , however
> when executing the shell directly the output has the below form which does
> not contain any ampersand symbol.
> {code:java}
> :~> getent netgroup mynetgroup1
> mynetgroup1 ( , a3xsds, ) ( , beekvkl, ) ( , redcuan, ) ( ,
> uedfmst, ){code}
>
> I have created a test code and removed the substring function and then ran it
> on the cluster using hadoop jar. The code returned netgroups correctly after
> the modification. I have limited knowledge on netgroup. The issue was
> discovered when
> hadoop.security.group.mapping =
> *org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback* was added
> to core-site.xml and it failed to apply netgroup access.
>
> Also find below debug comment to see negroup api calls in action
> tdms@casatdhdp01master01:~> hdfs dfs -ls /user/tdms
> 18/02/09 09:47:30 DEBUG util.Shell: setsid exited with exit code 0
> 18/02/09 09:47:30 DEBUG conf.Configuration: parsing URL
> jar:file:/usr/hdp/2.5.3.0-37/hadoop/hadoop-common-2.7.3.2.5.3.0-37.jar!/core-default.xml
> 18/02/09 09:47:30 DEBUG conf.Configuration: parsing input stream
> sun.net.www.protocol.jar.JarURLConnection$JarURLInputStream@78186a70
> 18/02/09 09:47:30 DEBUG conf.Configuration: parsing URL
> file:/etc/hadoop/2.5.3.0-37/0/core-site.xml
> 18/02/09 09:47:30 DEBUG conf.Configuration: parsing input stream
> java.io.BufferedInputStream@15d9bc04
> 18/02/09 09:47:30 DEBUG security.SecurityUtil: Setting
> hadoop.security.token.service.use_ip to true
> 18/02/09 09:47:30 DEBUG util.KerberosName: Kerberos krb5 configuration not
> found, setting default realm to empty
> 18/02/09 09:47:30 DEBUG security.Groups: Creating new Groups object
> 18/02/09 09:47:30 DEBUG util.NativeCodeLoader: Trying to load the
> custom-built native-hadoop library...
> 18/02/09 09:47:30 DEBUG util.NativeCodeLoader: Loaded the native-hadoop
> library
> 18/02/09 09:47:30 DEBUG security.JniBasedUnixGroupsMapping: Using
> JniBasedUnixGroupsMapping for Group resolution
> 18/02/09 09:47:30 DEBUG security.JniBasedUnixGroupsNetgroupMapping: Using
> JniBasedUnixGroupsNetgroupMapping for Netgroup resolution
> 18/02/09 09:47:30 DEBUG
> security.JniBasedUnixGroupsNetgroupMappingWithFallback: Group mapping
> impl=org.apache.hadoop.security.JniBasedUnixGroupsNetgroupMapping
> 18/02/09 09:47:30 DEBUG security.Groups: Group mapping
> impl=org.apache.hadoop.security.JniBasedUnixGroupsNetgroupMappingWithFallback;
> cacheTimeout=300000; warningDeltaMs=5000
> 18/02/09 09:47:30 DEBUG security.UserGroupInformation: hadoop login
> 18/02/09 09:47:30 DEBUG security.UserGroupInformation: hadoop login commit
> 18/02/09 09:47:30 DEBUG security.UserGroupInformation: using local
> user:UnixPrincipal: tdms
> 18/02/09 09:47:30 DEBUG security.UserGroupInformation: Using user:
> "UnixPrincipal: tdms" with name tdms
> 18/02/09 09:47:30 DEBUG security.UserGroupInformation: User entry: "tdms"
> 18/02/09 09:47:30 DEBUG security.UserGroupInformation: UGI loginUser:tdms
> (auth:SIMPLE)
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
