[ https://issues.apache.org/jira/browse/HADOOP-12413?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14744840#comment-14744840 ]
zhihai xu commented on HADOOP-12413: ------------------------------------ I attached a patch HADOOP-12413.000.patch which skip calling {{ugi.getGroupNames()}} if {{groups}} is empty. > AccessControlList should avoid calling getGroupNames in isUserInList with > empty groups. > --------------------------------------------------------------------------------------- > > Key: HADOOP-12413 > URL: https://issues.apache.org/jira/browse/HADOOP-12413 > Project: Hadoop Common > Issue Type: Improvement > Components: security > Affects Versions: 2.7.0 > Reporter: zhihai xu > Assignee: zhihai xu > Attachments: HADOOP-12413.000.patch > > > {{AccessControlList}} should avoid calling {{getGroupNames}} in > {{isUserInList}} with empty {{groups}}. Currently {{AccessControlList}} will > call {{ugi.getGroupNames()}} in {{isUserInList}} even if {{groups}} is empty. > {{ugi.getGroupNames()}} is an expensive operation which call shell script > {{id -gn <USER> && id -Gn <user>}} to get the list of groups. For example, > {{ServiceAuthorizationManager#authorize}} will call blocked ACL > {{acls[1].isUserAllowed(user)}} to check the user permission. The default > value for blocked ACL is empty > {code} > String defaultBlockedAcl = conf.get( > CommonConfigurationKeys.HADOOP_SECURITY_SERVICE_AUTHORIZATION_DEFAULT_BLOCKED_ACL, > ""); > {code} > So every time {{authorize}} is called, {{getGroupNames}} may be called. > It also caused the following warning message: > {code} > 2015-09-08 14:55:34,236 WARN [Socket Reader #1 for port 52715] > org.apache.hadoop.security.ShellBasedUnixGroupsMapping: got exception trying > to get groups for user job_1441722221553_0005: id: job_1441722221553_0005: No > such user > 2015-09-08 14:55:34,236 WARN [Socket Reader #1 for port 52715] > org.apache.hadoop.security.UserGroupInformation: No groups available for user > job_1441722221553_0005 > 2015-09-08 14:55:34,236 INFO [Socket Reader #1 for port 52715] > SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: > Authorization successful for job_1441722221553_0005 (auth:TOKEN) for > protocol=interface org.apache.hadoop.mapred.TaskUmbilicalProtocol > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)