[
https://issues.apache.org/jira/browse/HADOOP-13771?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15626392#comment-15626392
]
Xiaoyu Yao commented on HADOOP-13771:
-------------------------------------
Thanks [~aw] for providing the details of "hdfs groups". That well explained
why we have "hdfs groups" instead of "hadoop groups" today.
bq. There's an additional wrinkle here. The NN is not the only process that is
doing group resolution. Pretty much any service that does ACL resolution also
does group resolution to some degree. Making the command 'hadoop groups' is
going lead some folks to think that this works for any service...
Agree. Based on your description, I would prefer keep "hdfs groups" as-is today
instead of replacing "hdfs groups".
How about expose this as a DEBUG tool only? Below are some choices here:
1) run only with class Main only, no CLI exposed.
hadoop org.apache.hadoop.security.Groups
2) Add "hadoop groups" which wraps 1) in script, less ideal as you mentioned
above.
3) Add "hdfs debug groups" which wrapps 1) in script.
Explicitly mention the result is solely based on the configurations from
core-site.xml configurations.
It is authoritative compared with "hdfs groups"
bq. I'd therefore propose a different solution. 'hdfs groups' should work like
nslookup. If the NN is up, it should query the NN and give an authoritative
answer. If the NN is not up, it should give the local answer but be absolutely
clear that it is at best a guess and may be in correct.
This proposal looks good to me as well. MR and HDFS share a common base for the
"group" lookup. This will change the group lookup for both HDFS and MR.
> Adding group mapping lookup utility without dependency on HDFS namenode
> -----------------------------------------------------------------------
>
> Key: HADOOP-13771
> URL: https://issues.apache.org/jira/browse/HADOOP-13771
> Project: Hadoop Common
> Issue Type: Bug
> Components: security, tools
> Reporter: Xiaoyu Yao
> Assignee: Xiaoyu Yao
> Attachments: HADOOP-13771.00.patch
>
>
> We have {{hdfs groups}} command to troubleshoot issues related to users'
> group member look up with Unix/LDAP. However, there are some limitation of
> this command: 1) it can only be executed when namenode is running. 2) any
> change in the group mapping lookup configuration needs a hdfs namenode
> restart, which is expensive.
> This ticket is proposed to have a simple CLI utility like HadoopKerberosName
> {code}
> hadoop org.apache.hadoop.security.HadoopKerberosName
> nn/localh...@hdpdev.dev.com
> {code}
> The CLI utility for group member lookup will have a usage like below without
> namenode running or restart for configuration change.
> {code}
> hadoop org.apache.hadoop.security.Groups hdfs
> hdfs : [hadoop, hdfs]
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
