diff --git a/be/src/service/frontend.cc b/be/src/service/frontend.cc
index 608ba680e..8105be7f2 100644
--- a/be/src/service/frontend.cc
+++ b/be/src/service/frontend.cc
@@ -74,6 +74,11 @@ DEFINE_string(authorized_proxy_group_config, "",
     "all users. For example: hue=group1,group2;admin=*");
 DEFINE_string(authorized_proxy_group_config_delimiter, ",",
     "Specifies the delimiter used in authorized_proxy_group_config. ");
+DEFINE_bool(enable_shell_based_groups_mapping_support, false,
+    "Enables support for Hadoop groups mapping "
+    "org.apache.hadoop.security.ShellBasedUnixGroupsMapping. By default this support "
+    "is not enabled as it can lead to many process getting spawned to fetch groups for "
+    "user using shell command.");
 DEFINE_string(kudu_master_hosts, "", "Specifies the default Kudu master(s). The given "
     "value should be a comma separated list of hostnames or IP addresses; ports are "
     "optional.");
diff --git a/be/src/util/backend-gflag-util.cc b/be/src/util/backend-gflag-util.cc
index 1cc089dfe..f210ddbc1 100644
--- a/be/src/util/backend-gflag-util.cc
+++ b/be/src/util/backend-gflag-util.cc
@@ -48,6 +48,7 @@ DECLARE_string(principal);
 DECLARE_string(local_library_dir);
 DECLARE_string(server_name);
 DECLARE_string(authorized_proxy_group_config);
+DECLARE_bool(enable_shell_based_groups_mapping_support);
 DECLARE_string(catalog_topic_mode);
 DECLARE_string(kudu_master_hosts);
 DECLARE_string(reserved_words_version);
@@ -230,6 +231,8 @@ Status PopulateThriftBackendGflags(TBackendGflags& cfg) {
   cfg.__set_max_filter_error_rate(FLAGS_max_filter_error_rate);
   cfg.__set_min_buffer_size(FLAGS_min_buffer_size);
   cfg.__set_authorized_proxy_group_config(FLAGS_authorized_proxy_group_config);
+  cfg.__set_enable_shell_based_groups_mapping_support(
+      FLAGS_enable_shell_based_groups_mapping_support);
   cfg.__set_disable_catalog_data_ops_debug_only(
       FLAGS_disable_catalog_data_ops_debug_only);
   cfg.__set_catalog_topic_mode(FLAGS_catalog_topic_mode);
diff --git a/common/thrift/BackendGflags.thrift b/common/thrift/BackendGflags.thrift
index 88017f672..198f1f2ed 100644
--- a/common/thrift/BackendGflags.thrift
+++ b/common/thrift/BackendGflags.thrift
@@ -217,4 +217,6 @@ struct TBackendGflags {
   96: required string startup_filesystem_check_directories
 
   97: required bool hms_event_incremental_refresh_transactional_table
+
+  98: required bool enable_shell_based_groups_mapping_support
 }
diff --git a/docs/topics/impala_delegation.xml b/docs/topics/impala_delegation.xml
index dd535fb40..03914c4e3 100644
--- a/docs/topics/impala_delegation.xml
+++ b/docs/topics/impala_delegation.xml
@@ -172,7 +172,8 @@ under the License.
 
       <li>
         ShellBasedUnixGroupsNetgroupMapping and ShellBasedUnixGroupsMapping Hadoop group mapping
-        providers are not supported in Impala group delegation.
+        providers are not supported in Impala group delegation by default. To enable them, flag
+        <codeph>enable_shell_based_groups_mapping</codeph> needs to be enabled.
       </li>
 
       <li>
diff --git a/fe/src/main/java/org/apache/impala/service/BackendConfig.java b/fe/src/main/java/org/apache/impala/service/BackendConfig.java
index b0614ae58..898ae9057 100644
--- a/fe/src/main/java/org/apache/impala/service/BackendConfig.java
+++ b/fe/src/main/java/org/apache/impala/service/BackendConfig.java
@@ -103,6 +103,10 @@ public class BackendConfig {
     return !Strings.isNullOrEmpty(backendCfg_.authorized_proxy_group_config);
   }
 
+  public boolean isShellBasedGroupsMappingEnabled() {
+    return backendCfg_.enable_shell_based_groups_mapping_support;
+  }
+
   public boolean disableCatalogDataOpsDebugOnly() {
     return backendCfg_.disable_catalog_data_ops_debug_only;
   }
diff --git a/fe/src/main/java/org/apache/impala/service/JniFrontend.java b/fe/src/main/java/org/apache/impala/service/JniFrontend.java
index f8c7f2cca..663673e91 100644
--- a/fe/src/main/java/org/apache/impala/service/JniFrontend.java
+++ b/fe/src/main/java/org/apache/impala/service/JniFrontend.java
@@ -823,7 +823,8 @@ public class JniFrontend {
     output.append(checkLogFilePermission());
     output.append(checkFileSystem(CONF));
     output.append(checkShortCircuitRead(CONF));
-    if (BackendConfig.INSTANCE.isAuthorizedProxyGroupEnabled()) {
+    if (BackendConfig.INSTANCE.isAuthorizedProxyGroupEnabled() &&
+        !BackendConfig.INSTANCE.isShellBasedGroupsMappingEnabled()) {
       output.append(checkGroupsMappingProvider(CONF));
     }
     return output.toString();