IMPALA-11027: Adding flag to enable support for ShellBasedUnixGroupsMapping

Currently, Impala doesn't support ShellBasedUnixGroupsMapping and ShellBasedUnixGroupsNetgroupMapping to fetch Hadoop groups as they spawn a new process and run shell command to fetch group info. In Impala, this would happen for every session being created when user delegation is enabled via impala.doas.user and authorized_proxy_group_config. It can have many gotcha's like spawning many processes together in a highly concurrent setting, creation of zombie processes on abrupt crashing of impalad etc. However, not everyone in ecosystem have moved away from shell based group mapping. For instance, in cloudera distribution many components still rely on it. So we need a way to allow users to use shell based mapping instead of not allowing it altogether. This patch provides flag which would allow the support for users that are aware about the gotchas it comes with. Change-Id: I023f396a79f3aa27ad6ac80e91f527058a5a5470 Reviewed-on: http://gerrit.cloudera.org:8080/18019 Reviewed-by: Zoltan Borok-Nagy <boroknagyz@cloudera.com> Tested-by: Impala Public Jenkins <impala-public-jenkins@cloudera.com>
2025-12-19 09:58:28 -05:00 · 2021-11-11 06:27:07 -08:00
parent b13a17b9cf
commit b2c51a0cef
6 changed files with 18 additions and 2 deletions
--- a/be/src/service/frontend.cc
+++ b/be/src/service/frontend.cc
@@ -74,6 +74,11 @@ DEFINE_string(authorized_proxy_group_config, "",
    "all users. For example: hue=group1,group2;admin=*");
 DEFINE_string(authorized_proxy_group_config_delimiter, ",",
    "Specifies the delimiter used in authorized_proxy_group_config. ");
+DEFINE_bool(enable_shell_based_groups_mapping_support, false,
+    "Enables support for Hadoop groups mapping "
+    "org.apache.hadoop.security.ShellBasedUnixGroupsMapping. By default this support "
+    "is not enabled as it can lead to many process getting spawned to fetch groups for "
+    "user using shell command.");
 DEFINE_string(kudu_master_hosts, "", "Specifies the default Kudu master(s). The given "
    "value should be a comma separated list of hostnames or IP addresses; ports are "
    "optional.");
--- a/be/src/util/backend-gflag-util.cc
+++ b/be/src/util/backend-gflag-util.cc
@@ -48,6 +48,7 @@ DECLARE_string(principal);
 DECLARE_string(local_library_dir);
 DECLARE_string(server_name);
 DECLARE_string(authorized_proxy_group_config);
+DECLARE_bool(enable_shell_based_groups_mapping_support);
 DECLARE_string(catalog_topic_mode);
 DECLARE_string(kudu_master_hosts);
 DECLARE_string(reserved_words_version);
@@ -230,6 +231,8 @@ Status PopulateThriftBackendGflags(TBackendGflags& cfg) {
  cfg.__set_max_filter_error_rate(FLAGS_max_filter_error_rate);
  cfg.__set_min_buffer_size(FLAGS_min_buffer_size);
  cfg.__set_authorized_proxy_group_config(FLAGS_authorized_proxy_group_config);
+  cfg.__set_enable_shell_based_groups_mapping_support(
+      FLAGS_enable_shell_based_groups_mapping_support);
  cfg.__set_disable_catalog_data_ops_debug_only(
      FLAGS_disable_catalog_data_ops_debug_only);
  cfg.__set_catalog_topic_mode(FLAGS_catalog_topic_mode);
--- a/common/thrift/BackendGflags.thrift
+++ b/common/thrift/BackendGflags.thrift
@@ -217,4 +217,6 @@ struct TBackendGflags {
  96: required string startup_filesystem_check_directories

  97: required bool hms_event_incremental_refresh_transactional_table
+
+  98: required bool enable_shell_based_groups_mapping_support
 }
--- a/docs/topics/impala_delegation.xml
+++ b/docs/topics/impala_delegation.xml
@@ -172,7 +172,8 @@ under the License.

      <li>
        ShellBasedUnixGroupsNetgroupMapping and ShellBasedUnixGroupsMapping Hadoop group mapping
-        providers are not supported in Impala group delegation.
+        providers are not supported in Impala group delegation by default. To enable them, flag
+        <codeph>enable_shell_based_groups_mapping</codeph> needs to be enabled.
      </li>

      <li>
--- a/fe/src/main/java/org/apache/impala/service/BackendConfig.java
+++ b/fe/src/main/java/org/apache/impala/service/BackendConfig.java
@@ -103,6 +103,10 @@ public class BackendConfig {
    return !Strings.isNullOrEmpty(backendCfg_.authorized_proxy_group_config);
  }

+  public boolean isShellBasedGroupsMappingEnabled() {
+    return backendCfg_.enable_shell_based_groups_mapping_support;
+  }
+
  public boolean disableCatalogDataOpsDebugOnly() {
    return backendCfg_.disable_catalog_data_ops_debug_only;
  }
--- a/fe/src/main/java/org/apache/impala/service/JniFrontend.java
+++ b/fe/src/main/java/org/apache/impala/service/JniFrontend.java
@@ -823,7 +823,8 @@ public class JniFrontend {
    output.append(checkLogFilePermission());
    output.append(checkFileSystem(CONF));
    output.append(checkShortCircuitRead(CONF));
-    if (BackendConfig.INSTANCE.isAuthorizedProxyGroupEnabled()) {
+    if (BackendConfig.INSTANCE.isAuthorizedProxyGroupEnabled() &&
+        !BackendConfig.INSTANCE.isShellBasedGroupsMappingEnabled()) {
      output.append(checkGroupsMappingProvider(CONF));
    }
    return output.toString();