From 347cf6e176222b997f63b13136289352d7b14982 Mon Sep 17 00:00:00 2001 From: Todd Lipcon Date: Tue, 15 Jan 2013 20:43:32 +0000 Subject: [PATCH] HADOOP-8712. Change default hadoop.security.group.mapping to JniBasedUnixGroupsNetgroupMappingWithFallback. Contributed by Robert Parker. git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1433624 13f79535-47bb-0310-9956-ffa450edef68 --- hadoop-common-project/hadoop-common/CHANGES.txt | 3 +++ .../src/main/resources/core-default.xml | 12 ++++++++++-- .../content/xdocs/hdfs_permissions_guide.xml | 9 +++++---- 3 files changed, 18 insertions(+), 6 deletions(-) diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 529d95553d2..e044be09968 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -436,6 +436,9 @@ Release 2.0.3-alpha - Unreleased HADOOP-9192. Move token related request/response messages to common. (suresh) + HADOOP-8712. Change default hadoop.security.group.mapping to + JniBasedUnixGroupsNetgroupMappingWithFallback (Robert Parker via todd) + OPTIMIZATIONS HADOOP-8866. SampleQuantiles#query is O(N^2) instead of O(N). (Andrew Wang diff --git a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml index b020610ba79..27ad539c9fa 100644 --- a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml +++ b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml @@ -80,9 +80,17 @@ hadoop.security.group.mapping - org.apache.hadoop.security.ShellBasedUnixGroupsMapping + org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback - Class for user to group mapping (get groups for a given user) for ACL + Class for user to group mapping (get groups for a given user) for ACL. + The default implementation, + org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback, + will determine if the Java Native Interface (JNI) is available. If JNI is + available the implementation will use the API within hadoop to resolve a + list of groups for a user. If JNI is not available then the shell + implementation, ShellBasedUnixGroupsMapping, is used. This implementation + shells out to the Linux/Unix environment with the + bash -c groups command to resolve a list of groups for a user. diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/docs/src/documentation/content/xdocs/hdfs_permissions_guide.xml b/hadoop-hdfs-project/hadoop-hdfs/src/main/docs/src/documentation/content/xdocs/hdfs_permissions_guide.xml index cfb46edfc08..af260fa93c9 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/docs/src/documentation/content/xdocs/hdfs_permissions_guide.xml +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/docs/src/documentation/content/xdocs/hdfs_permissions_guide.xml @@ -92,10 +92,11 @@ There is no provision within HDFS for creating user identities, establishing gro
Group Mapping

-Once a username has been determined as described above, the list of groups is determined by a group mapping -service, configured by the hadoop.security.group.mapping property. -The default implementation, org.apache.hadoop.security.ShellBasedUnixGroupsMapping, will shell out -to the Unix bash -c groups command to resolve a list of groups for a user. +Once a username has been determined as described above, the list of groups is +determined by a group mapping service, configured by the +hadoop.security.group.mapping property. Refer to the +core-default.xml for details of the hadoop.security.group.mapping +implementation.

An alternate implementation, which connects directly to an LDAP server to resolve the list of groups, is available