You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "FROHNER Ákos (JIRA)" <ji...@apache.org> on 2009/09/14 17:52:57 UTC
[jira] Commented: (HADOOP-4656) Add a user to groups mapping
service
[ https://issues.apache.org/jira/browse/HADOOP-4656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12755035#action_12755035 ]
FROHNER Ákos commented on HADOOP-4656:
--------------------------------------
Please consider passing the authentication context to the getGroups() method,
as it might be easier to retrieve the associated groups using that information,
then based only on the username.
For example in POSIX environments it is faster to do a lookup based on the
numeric UID, than based on the username.
If you are using Kerberos with PAC, then the authentication context may already
contain a list of associated groups:
http://k5wiki.kerberos.org/wiki/Projects/PAC_and_principal_APIs
There is a similar solution based on X509 authentication, where the associated
list of groups is embedded into the authentication context.
> Add a user to groups mapping service
> -------------------------------------
>
> Key: HADOOP-4656
> URL: https://issues.apache.org/jira/browse/HADOOP-4656
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 0.19.0
> Reporter: Arun C Murthy
> Assignee: Arun C Murthy
> Attachments: HADOOP-4656_0_20090108.patch
>
>
> Currently the IPC client sends the UGI which contains the user/group information for the Server. However this represents the groups for the user on the client-end. The more pertinent mapping from user to groups is actually the one seen by the Server. Hence the client should only send the user and we should add a 'group mapping service' so that the Server can query it for the mapping.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.