You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Dhirendra Khanka (JIRA)" <ji...@apache.org> on 2018/02/07 08:58:00 UTC
[jira] [Created] (HADOOP-15213)
JniBasedUnixGroupsNetgroupMapping.java and
ShellBasedUnixGroupsNetgroupMapping.java use netgroup.substring(1)
Dhirendra Khanka created HADOOP-15213:
-----------------------------------------
Summary: JniBasedUnixGroupsNetgroupMapping.java and ShellBasedUnixGroupsNetgroupMapping.java use netgroup.substring(1)
Key: HADOOP-15213
URL: https://issues.apache.org/jira/browse/HADOOP-15213
Project: Hadoop Common
Issue Type: Improvement
Components: security
Environment: SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 3
Reporter: Dhirendra Khanka
Attachments: image-2018-02-07-13-28-45-230.png, image-2018-02-07-13-28-47-106.png, image-2018-02-07-13-28-50-696.png, image-2018-02-07-13-29-25-647.png
Part of the code below shown from below 2 classes
org.apache.hadoop.security.JniBasedUnixGroupsNetgroupMapping.java
{code:java}
protected synchronized List<String> getUsersForNetgroup(String netgroup) {
String[] users = null;
try {
// JNI code does not expect '@' at the begining of the group name
users = getUsersForNetgroupJNI(netgroup.substring(1));
} catch (Exception e) {
if (LOG.isDebugEnabled()) {
LOG.debug("Error getting users for netgroup " + netgroup, e);
} else {
LOG.info("Error getting users for netgroup " + netgroup +
": " + e.getMessage());
}
}
if (users != null && users.length != 0) {
return Arrays.asList(users);
}
return new LinkedList<String>();
}{code}
org.apache.hadoop.security.ShellBasedUnixGroupsNetgroupMapping.java
{code:java}
protected String execShellGetUserForNetgroup(final String netgroup)
throws IOException {
String result = "";
try
{ // shell command does not expect '@' at the begining of the group name result = Shell.execCommand( Shell.getUsersForNetgroupCommand(netgroup.substring(1))); }
catch (ExitCodeException e)
{ // if we didn't get the group - just return empty list; LOG.warn("error getting users for netgroup " + netgroup, e); }
return result;
}
{code}
The comments from the code above expect the input to contain '@' , however when executing the shell directly the output has the below form which does not contain any ampersand symbol.
{code:java}
:~> getent netgroup mynetgroup1
mynetgroup1 ( , a3xsds, ) ( , beekvkl, ) ( , redcuan, ) ( , uedfmst, ){code}
I have created a test code and removed the substring function and then ran it on the cluster using hadoop jar. The code returned netgroups correctly after the modification. I have limited knowledge on netgroup. The issue was discovered when
hadoop.security.group.mapping = *org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback* was added to core-site.xml and it failed to apply netgroup access.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org