zhihai xu created HADOOP-12413: ---------------------------------- Summary: AccessControlList should avoid calling getGroupNames in isUserInList with empty groups. Key: HADOOP-12413 URL: https://issues.apache.org/jira/browse/HADOOP-12413 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 2.7.0 Reporter: zhihai xu Assignee: zhihai xu
{{AccessControlList}} should avoid calling {{getGroupNames}} in {{isUserInList}} with empty {{groups}}. Currently {{AccessControlList}} will call {{ugi.getGroupNames()}} in {{isUserInList}} even if {{groups}} is empty. {{ugi.getGroupNames()}} is an expensive operation which call shell script {{id -gn <USER> && id -Gn <user>}} to get the list of groups. For example, {{ServiceAuthorizationManager#authorize}} will call blocked ACL {{acls[1].isUserAllowed(user)}} to check the user permission. The default value for blocked ACL is empty {{code}} String defaultBlockedAcl = conf.get( CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_BLOCKED_ACL, ""); {{code}} So every time {{authorize}} is called, {{getGroupNames}} may be called. It also caused the following warning message: {code} 2015-09-08 14:55:34,236 WARN [Socket Reader #1 for port 52715] org.apache.hadoop.security.ShellBasedUnixGroupsMapping: got exception trying to get groups for user job_1441722221553_0005: id: job_1441722221553_0005: No such user 2015-09-08 14:55:34,236 WARN [Socket Reader #1 for port 52715] org.apache.hadoop.security.UserGroupInformation: No groups available for user job_1441722221553_0005 2015-09-08 14:55:34,236 INFO [Socket Reader #1 for port 52715] SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization successful for job_1441722221553_0005 (auth:TOKEN) for protocol=interface org.apache.hadoop.mapred.TaskUmbilicalProtocol {{code}} -- This message was sent by Atlassian JIRA (v6.3.4#6332)