You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by st...@apache.org on 2021/11/29 01:24:12 UTC
[impala] 01/04: IMPALA-11027: Adding flag to enable support for ShellBasedUnixGroupsMapping
This is an automated email from the ASF dual-hosted git repository.
stigahuang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git
commit b2c51a0cefb00eccad98d020f5b16cf18a56c979
Author: Amogh Margoor <am...@cloudera.com>
AuthorDate: Thu Nov 11 06:27:07 2021 -0800
IMPALA-11027: Adding flag to enable support for ShellBasedUnixGroupsMapping
Currently, Impala doesn't support ShellBasedUnixGroupsMapping and
ShellBasedUnixGroupsNetgroupMapping to fetch Hadoop groups as they
spawn a new process and run shell command to fetch group info.
In Impala, this would happen for every session being created
when user delegation is enabled via impala.doas.user and
authorized_proxy_group_config. It can have many gotcha's like
spawning many processes together in a highly concurrent setting,
creation of zombie processes on abrupt crashing of impalad etc.
However, not everyone in ecosystem have moved away from shell based
group mapping. For instance, in cloudera distribution many components
still rely on it. So we need a way to allow users to use shell based
mapping instead of not allowing it altogether.
This patch provides flag which would allow the support for users
that are aware about the gotchas it comes with.
Change-Id: I023f396a79f3aa27ad6ac80e91f527058a5a5470
Reviewed-on: http://gerrit.cloudera.org:8080/18019
Reviewed-by: Zoltan Borok-Nagy <bo...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
---
be/src/service/frontend.cc | 5 +++++
be/src/util/backend-gflag-util.cc | 3 +++
common/thrift/BackendGflags.thrift | 2 ++
docs/topics/impala_delegation.xml | 3 ++-
fe/src/main/java/org/apache/impala/service/BackendConfig.java | 4 ++++
fe/src/main/java/org/apache/impala/service/JniFrontend.java | 3 ++-
6 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/be/src/service/frontend.cc b/be/src/service/frontend.cc
index 608ba68..8105be7 100644
--- a/be/src/service/frontend.cc
+++ b/be/src/service/frontend.cc
@@ -74,6 +74,11 @@ DEFINE_string(authorized_proxy_group_config, "",
"all users. For example: hue=group1,group2;admin=*");
DEFINE_string(authorized_proxy_group_config_delimiter, ",",
"Specifies the delimiter used in authorized_proxy_group_config. ");
+DEFINE_bool(enable_shell_based_groups_mapping_support, false,
+ "Enables support for Hadoop groups mapping "
+ "org.apache.hadoop.security.ShellBasedUnixGroupsMapping. By default this support "
+ "is not enabled as it can lead to many process getting spawned to fetch groups for "
+ "user using shell command.");
DEFINE_string(kudu_master_hosts, "", "Specifies the default Kudu master(s). The given "
"value should be a comma separated list of hostnames or IP addresses; ports are "
"optional.");
diff --git a/be/src/util/backend-gflag-util.cc b/be/src/util/backend-gflag-util.cc
index 1cc089d..f210ddb 100644
--- a/be/src/util/backend-gflag-util.cc
+++ b/be/src/util/backend-gflag-util.cc
@@ -48,6 +48,7 @@ DECLARE_string(principal);
DECLARE_string(local_library_dir);
DECLARE_string(server_name);
DECLARE_string(authorized_proxy_group_config);
+DECLARE_bool(enable_shell_based_groups_mapping_support);
DECLARE_string(catalog_topic_mode);
DECLARE_string(kudu_master_hosts);
DECLARE_string(reserved_words_version);
@@ -230,6 +231,8 @@ Status PopulateThriftBackendGflags(TBackendGflags& cfg) {
cfg.__set_max_filter_error_rate(FLAGS_max_filter_error_rate);
cfg.__set_min_buffer_size(FLAGS_min_buffer_size);
cfg.__set_authorized_proxy_group_config(FLAGS_authorized_proxy_group_config);
+ cfg.__set_enable_shell_based_groups_mapping_support(
+ FLAGS_enable_shell_based_groups_mapping_support);
cfg.__set_disable_catalog_data_ops_debug_only(
FLAGS_disable_catalog_data_ops_debug_only);
cfg.__set_catalog_topic_mode(FLAGS_catalog_topic_mode);
diff --git a/common/thrift/BackendGflags.thrift b/common/thrift/BackendGflags.thrift
index 88017f6..198f1f2 100644
--- a/common/thrift/BackendGflags.thrift
+++ b/common/thrift/BackendGflags.thrift
@@ -217,4 +217,6 @@ struct TBackendGflags {
96: required string startup_filesystem_check_directories
97: required bool hms_event_incremental_refresh_transactional_table
+
+ 98: required bool enable_shell_based_groups_mapping_support
}
diff --git a/docs/topics/impala_delegation.xml b/docs/topics/impala_delegation.xml
index dd535fb..03914c4 100644
--- a/docs/topics/impala_delegation.xml
+++ b/docs/topics/impala_delegation.xml
@@ -172,7 +172,8 @@ under the License.
<li>
ShellBasedUnixGroupsNetgroupMapping and ShellBasedUnixGroupsMapping Hadoop group mapping
- providers are not supported in Impala group delegation.
+ providers are not supported in Impala group delegation by default. To enable them, flag
+ <codeph>enable_shell_based_groups_mapping</codeph> needs to be enabled.
</li>
<li>
diff --git a/fe/src/main/java/org/apache/impala/service/BackendConfig.java b/fe/src/main/java/org/apache/impala/service/BackendConfig.java
index b0614ae..898ae90 100644
--- a/fe/src/main/java/org/apache/impala/service/BackendConfig.java
+++ b/fe/src/main/java/org/apache/impala/service/BackendConfig.java
@@ -103,6 +103,10 @@ public class BackendConfig {
return !Strings.isNullOrEmpty(backendCfg_.authorized_proxy_group_config);
}
+ public boolean isShellBasedGroupsMappingEnabled() {
+ return backendCfg_.enable_shell_based_groups_mapping_support;
+ }
+
public boolean disableCatalogDataOpsDebugOnly() {
return backendCfg_.disable_catalog_data_ops_debug_only;
}
diff --git a/fe/src/main/java/org/apache/impala/service/JniFrontend.java b/fe/src/main/java/org/apache/impala/service/JniFrontend.java
index f8c7f2c..663673e 100644
--- a/fe/src/main/java/org/apache/impala/service/JniFrontend.java
+++ b/fe/src/main/java/org/apache/impala/service/JniFrontend.java
@@ -823,7 +823,8 @@ public class JniFrontend {
output.append(checkLogFilePermission());
output.append(checkFileSystem(CONF));
output.append(checkShortCircuitRead(CONF));
- if (BackendConfig.INSTANCE.isAuthorizedProxyGroupEnabled()) {
+ if (BackendConfig.INSTANCE.isAuthorizedProxyGroupEnabled() &&
+ !BackendConfig.INSTANCE.isShellBasedGroupsMappingEnabled()) {
output.append(checkGroupsMappingProvider(CONF));
}
return output.toString();