You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-dev@hadoop.apache.org by "Arun C Murthy (JIRA)" <ji...@apache.org> on 2008/11/13 23:15:44 UTC

[jira] Created: (HADOOP-4656) Add a user to groups mapping service

Add a user to groups mapping service 
-------------------------------------

                 Key: HADOOP-4656
                 URL: https://issues.apache.org/jira/browse/HADOOP-4656
             Project: Hadoop Core
          Issue Type: Improvement
          Components: security
    Affects Versions: 0.19.0
            Reporter: Arun C Murthy
             Fix For: 0.20.0


Currently the IPC client sends the UGI which contains the user/group information for the Server. However this represents the groups for the user on the client-end. The more pertinent mapping from user to groups is actually the one seen by the Server. Hence the client should only send the user and we should add a 'group mapping service' so that the Server can query it for the mapping.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (HADOOP-4656) Add a user to groups mapping service

Posted by "Arun C Murthy (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/HADOOP-4656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12661882#action_12661882 ] 

Arun C Murthy commented on HADOOP-4656:
---------------------------------------

I propose a new abstract class Groups with a single method 'getGroups' as below:

{code:title=Groups.java}
public abstract class Groups {
  List<String> getGroups(String username);
}
{code}

with a concrete implementation which gets the unix groups for the given user.


> Add a user to groups mapping service 
> -------------------------------------
>
>                 Key: HADOOP-4656
>                 URL: https://issues.apache.org/jira/browse/HADOOP-4656
>             Project: Hadoop Core
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 0.19.0
>            Reporter: Arun C Murthy
>            Assignee: Arun C Murthy
>
> Currently the IPC client sends the UGI which contains the user/group information for the Server. However this represents the groups for the user on the client-end. The more pertinent mapping from user to groups is actually the one seen by the Server. Hence the client should only send the user and we should add a 'group mapping service' so that the Server can query it for the mapping.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Assigned: (HADOOP-4656) Add a user to groups mapping service

Posted by "Arun C Murthy (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/HADOOP-4656?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Arun C Murthy reassigned HADOOP-4656:
-------------------------------------

    Assignee: Arun C Murthy

> Add a user to groups mapping service 
> -------------------------------------
>
>                 Key: HADOOP-4656
>                 URL: https://issues.apache.org/jira/browse/HADOOP-4656
>             Project: Hadoop Core
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 0.19.0
>            Reporter: Arun C Murthy
>            Assignee: Arun C Murthy
>
> Currently the IPC client sends the UGI which contains the user/group information for the Server. However this represents the groups for the user on the client-end. The more pertinent mapping from user to groups is actually the one seen by the Server. Hence the client should only send the user and we should add a 'group mapping service' so that the Server can query it for the mapping.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (HADOOP-4656) Add a user to groups mapping service

Posted by "Kan Zhang (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/HADOOP-4656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12702947#action_12702947 ] 

Kan Zhang commented on HADOOP-4656:
-----------------------------------

Arun, can we get this one done soon? I'm working on 4343, which depends on this. Thanks.

> Add a user to groups mapping service 
> -------------------------------------
>
>                 Key: HADOOP-4656
>                 URL: https://issues.apache.org/jira/browse/HADOOP-4656
>             Project: Hadoop Core
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 0.19.0
>            Reporter: Arun C Murthy
>            Assignee: Arun C Murthy
>         Attachments: HADOOP-4656_0_20090108.patch
>
>
> Currently the IPC client sends the UGI which contains the user/group information for the Server. However this represents the groups for the user on the client-end. The more pertinent mapping from user to groups is actually the one seen by the Server. Hence the client should only send the user and we should add a 'group mapping service' so that the Server can query it for the mapping.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (HADOOP-4656) Add a user to groups mapping service

Posted by "Allen Wittenauer (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/HADOOP-4656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12663067#action_12663067 ] 

Allen Wittenauer commented on HADOOP-4656:
------------------------------------------

Groups should definitely come from asking the host OS in some form using the Java equivalent of getgrent() and friends. [ Be aware that getgroups() is BSD-specific and may not be available on System V, such as Solaris and HP-UX.]  Doing this via shell call out is just going to exasperate the memory problems we already see, especially on the secondary name node that requires more memory than the primary due to the fork of whoami/id! 

It also opens up yet another security hole where any random groups command on the name nodes path can be used to override.  Not Good(tm).


> Add a user to groups mapping service 
> -------------------------------------
>
>                 Key: HADOOP-4656
>                 URL: https://issues.apache.org/jira/browse/HADOOP-4656
>             Project: Hadoop Core
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 0.19.0
>            Reporter: Arun C Murthy
>            Assignee: Arun C Murthy
>         Attachments: HADOOP-4656_0_20090108.patch
>
>
> Currently the IPC client sends the UGI which contains the user/group information for the Server. However this represents the groups for the user on the client-end. The more pertinent mapping from user to groups is actually the one seen by the Server. Hence the client should only send the user and we should add a 'group mapping service' so that the Server can query it for the mapping.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (HADOOP-4656) Add a user to groups mapping service

Posted by "Arun C Murthy (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/HADOOP-4656?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Arun C Murthy updated HADOOP-4656:
----------------------------------

    Attachment: HADOOP-4656_0_20090108.patch

Preliminary patch while I continue testing.


> Add a user to groups mapping service 
> -------------------------------------
>
>                 Key: HADOOP-4656
>                 URL: https://issues.apache.org/jira/browse/HADOOP-4656
>             Project: Hadoop Core
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 0.19.0
>            Reporter: Arun C Murthy
>            Assignee: Arun C Murthy
>         Attachments: HADOOP-4656_0_20090108.patch
>
>
> Currently the IPC client sends the UGI which contains the user/group information for the Server. However this represents the groups for the user on the client-end. The more pertinent mapping from user to groups is actually the one seen by the Server. Hence the client should only send the user and we should add a 'group mapping service' so that the Server can query it for the mapping.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (HADOOP-4656) Add a user to groups mapping service

Posted by "Kan Zhang (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/HADOOP-4656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12662059#action_12662059 ] 

Kan Zhang commented on HADOOP-4656:
-----------------------------------

> I propose we change the IPC Client to send the JAAS Subject in the header rather than UGI, this will also be compatible with the way we will do Kerberos-based authentication via the GSS API.

Just want to clarify that application code doesn't send anything when using Kerberos. It's all hiding inside the GSS API library. After authentication, server can query the established GSS context to get client ID as GSSName which can be converted to a String. So for compatibility, IPC Client doesn't have to send JAAS Subject in the header. Send a String is fine.

> Add a user to groups mapping service 
> -------------------------------------
>
>                 Key: HADOOP-4656
>                 URL: https://issues.apache.org/jira/browse/HADOOP-4656
>             Project: Hadoop Core
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 0.19.0
>            Reporter: Arun C Murthy
>            Assignee: Arun C Murthy
>         Attachments: HADOOP-4656_0_20090108.patch
>
>
> Currently the IPC client sends the UGI which contains the user/group information for the Server. However this represents the groups for the user on the client-end. The more pertinent mapping from user to groups is actually the one seen by the Server. Hence the client should only send the user and we should add a 'group mapping service' so that the Server can query it for the mapping.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (HADOOP-4656) Add a user to groups mapping service

Posted by "Allen Wittenauer (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/HADOOP-4656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12663381#action_12663381 ] 

Allen Wittenauer commented on HADOOP-4656:
------------------------------------------

Privately, someone asked about caching the group content.

One of the big advantages of talking to the OS is that many systems include a naming services caching daemon that handles caching group and similar content for the entire machine.  nscd generally includes great support for controlling the size, ttl, negative ttl, etc, for the cache.  Duplicating that functionality seems like overkill and, worse, will act as a cache against a cache!


> Add a user to groups mapping service 
> -------------------------------------
>
>                 Key: HADOOP-4656
>                 URL: https://issues.apache.org/jira/browse/HADOOP-4656
>             Project: Hadoop Core
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 0.19.0
>            Reporter: Arun C Murthy
>            Assignee: Arun C Murthy
>         Attachments: HADOOP-4656_0_20090108.patch
>
>
> Currently the IPC client sends the UGI which contains the user/group information for the Server. However this represents the groups for the user on the client-end. The more pertinent mapping from user to groups is actually the one seen by the Server. Hence the client should only send the user and we should add a 'group mapping service' so that the Server can query it for the mapping.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (HADOOP-4656) Add a user to groups mapping service

Posted by "Arun C Murthy (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/HADOOP-4656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12647677#action_12647677 ] 

Arun C Murthy commented on HADOOP-4656:
---------------------------------------

HADOOP-4348 is switching IPC to use the JAAS Subject rather than UGI (which will become an internal artifact). While we are adding the user-to-group mapping service, I propose we change the IPC Client to send the JAAS Subject in the header rather than UGI, this will also be compatible with the way we will do Kerberos-based authentication via the GSS API.

> Add a user to groups mapping service 
> -------------------------------------
>
>                 Key: HADOOP-4656
>                 URL: https://issues.apache.org/jira/browse/HADOOP-4656
>             Project: Hadoop Core
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 0.19.0
>            Reporter: Arun C Murthy
>             Fix For: 0.20.0
>
>
> Currently the IPC client sends the UGI which contains the user/group information for the Server. However this represents the groups for the user on the client-end. The more pertinent mapping from user to groups is actually the one seen by the Server. Hence the client should only send the user and we should add a 'group mapping service' so that the Server can query it for the mapping.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.