[jira] [Created] (HADOOP-15213) JniBasedUnixGroupsNetgroupMapping.java and ShellBasedUnixGroupsNetgroupMapping.java use netgroup.substring(1)

[Dhirendra Khanka (JIRA)]

Dhirendra Khanka created HADOOP-15213:
-----------------------------------------

             Summary: JniBasedUnixGroupsNetgroupMapping.java and 
ShellBasedUnixGroupsNetgroupMapping.java use netgroup.substring(1) 
                 Key: HADOOP-15213
                 URL: https://issues.apache.org/jira/browse/HADOOP-15213
             Project: Hadoop Common
          Issue Type: Improvement
          Components: security
         Environment: SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 3
            Reporter: Dhirendra Khanka
         Attachments: image-2018-02-07-13-28-45-230.png, 
image-2018-02-07-13-28-47-106.png, image-2018-02-07-13-28-50-696.png, 
image-2018-02-07-13-29-25-647.png

 

Part of the code below shown from below 2 classes

 org.apache.hadoop.security.JniBasedUnixGroupsNetgroupMapping.java
{code:java}
 protected synchronized List<String> getUsersForNetgroup(String netgroup) {
    String[] users = null;
    try {
      // JNI code does not expect '@' at the begining of the group name
      users = getUsersForNetgroupJNI(netgroup.substring(1));
    } catch (Exception e) {
      if (LOG.isDebugEnabled()) {
        LOG.debug("Error getting users for netgroup " + netgroup, e);
      } else {
        LOG.info("Error getting users for netgroup " + netgroup + 
            ": " + e.getMessage());
      }
    }
    if (users != null && users.length != 0) {
      return Arrays.asList(users);
    }
    return new LinkedList<String>();
  }{code}
org.apache.hadoop.security.ShellBasedUnixGroupsNetgroupMapping.java

 
{code:java}
protected String execShellGetUserForNetgroup(final String netgroup)
 throws IOException {
 String result = "";
 try
{ // shell command does not expect '@' at the begining of the group name result 
= Shell.execCommand( Shell.getUsersForNetgroupCommand(netgroup.substring(1))); }
catch (ExitCodeException e)
{ // if we didn't get the group - just return empty list; LOG.warn("error 
getting users for netgroup " + netgroup, e); }
return result;
 }

{code}
 The comments from the code above expect the input to contain '@' , however 
when executing the shell directly the output has the below form which does not 
contain any ampersand symbol. 
{code:java}
:~> getent netgroup mynetgroup1
mynetgroup1           ( , a3xsds, ) ( , beekvkl, ) ( , redcuan, ) ( , uedfmst, 
){code}
 

I have created a test code and removed the substring function and then ran it 
on the cluster using hadoop jar. The code returned netgroups correctly after 
the modification. I have limited knowledge on netgroup. The issue was 
discovered when

hadoop.security.group.mapping = 
*org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback* was added to 
core-site.xml and it failed to apply netgroup access.

 

 

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org