[jira] [Created] (HADOOP-17467) netgroup-user mapping breaks by a race in NetgroupCache

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Created] (HADOOP-17467) netgroup-user mapping breaks by a race in NetgroupCache

Steve Loughran (Jira)
Ahmed Hussein created HADOOP-17467:
--------------------------------------

             Summary: netgroup-user mapping breaks by a race in NetgroupCache
                 Key: HADOOP-17467
                 URL: https://issues.apache.org/jira/browse/HADOOP-17467
             Project: Hadoop Common
          Issue Type: Bug
          Components: security
            Reporter: Ahmed Hussein
            Assignee: Ahmed Hussein


There is potential concurrency bug in the {{NetgroupCache}} implementation.

{{NetgroupCache}} is static. When ACL is built, its groups will be added to the {{NetgroupCache}}.

A {{-refreshUserToGroupsMappings}} forces the cache to reload the users for each group.
This is done by first getting the keys, clearing the cache, then finally reloading the users for each group.
The problem that the three steps are not atomic.
Adding ACLs concurrently may take place between L80-L81 ([JniBasedUnixGroupsNetgroupMapping#L79|https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/JniBasedUnixGroupsNetgroupMapping.java#L79]). This results in the loss of the most recently added group.
Since group names are used in the JNI level, the users of that group won't be retrieved.

{code:java}
78 @Override
79  public void cacheGroupsRefresh() throws IOException {
80    List<String> groups = NetgroupCache.getNetgroupNames();
81     NetgroupCache.clear();
82    cacheGroupsAdd(groups);
83  }
{code}

+Solution:+

Refreshing {{NetgroupCache}} should not clear the cache keys.




--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]