zhihai xu created HADOOP-12413:
----------------------------------

             Summary: AccessControlList should avoid calling getGroupNames in 
isUserInList with empty groups.
                 Key: HADOOP-12413
                 URL: https://issues.apache.org/jira/browse/HADOOP-12413
             Project: Hadoop Common
          Issue Type: Improvement
          Components: security
    Affects Versions: 2.7.0
            Reporter: zhihai xu
            Assignee: zhihai xu


{{AccessControlList}} should avoid calling {{getGroupNames}} in 
{{isUserInList}} with empty {{groups}}. Currently {{AccessControlList}} will 
call {{ugi.getGroupNames()}} in {{isUserInList}} even if {{groups}} is empty. 
{{ugi.getGroupNames()}} is an expensive operation which call shell script {{id 
-gn <USER> && id -Gn <user>}} to get the list of groups. For example,
{{ServiceAuthorizationManager#authorize}} will call blocked ACL 
{{acls[1].isUserAllowed(user)}} to check the user permission. The default value 
for blocked ACL  is empty
{{code}}
    String defaultBlockedAcl = conf.get(   
CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_BLOCKED_ACL,
 "");
{{code}}
So every time {{authorize}} is called, {{getGroupNames}} may be called.
It also caused the following warning message:
{code}
2015-09-08 14:55:34,236 WARN [Socket Reader #1 for port 52715] 
org.apache.hadoop.security.ShellBasedUnixGroupsMapping: got exception trying to 
get groups for user job_1441722221553_0005: id: job_1441722221553_0005: No such 
user
2015-09-08 14:55:34,236 WARN [Socket Reader #1 for port 52715] 
org.apache.hadoop.security.UserGroupInformation: No groups available for user 
job_1441722221553_0005
2015-09-08 14:55:34,236 INFO [Socket Reader #1 for port 52715] 
SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager:
 Authorization successful for job_1441722221553_0005 (auth:TOKEN) for 
protocol=interface org.apache.hadoop.mapred.TaskUmbilicalProtocol
{{code}}




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to