12 years ago · 467e811003
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -118,6 +118,9 @@ Release 2.0.3-alpha - Unreleased
 
				     HADOOP-9192. Move token related request/response messages to common.
			
 
				     (suresh)
			
 
				 
			
 
				+    HADOOP-8712. Change default hadoop.security.group.mapping to
			
 
				+    JniBasedUnixGroupsNetgroupMappingWithFallback (Robert Parker via todd)
			
 
				+
			
 
				   OPTIMIZATIONS
			
 
				 
			
 
				     HADOOP-8866. SampleQuantiles#query is O(N^2) instead of O(N). (Andrew Wang
			
--- a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
+++ b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
@@ -80,9 +80,17 @@
 
				 
			
 
				 <property>
			
 
				   <name>hadoop.security.group.mapping</name>
			
 
				-  <value>org.apache.hadoop.security.ShellBasedUnixGroupsMapping</value>
			
 
				+  <value>org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback</value>
			
 
				   <description>
			
 
				-    Class for user to group mapping (get groups for a given user) for ACL
			
 
				+    Class for user to group mapping (get groups for a given user) for ACL. 
			
 
				+    The default implementation,
			
 
				+    org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback, 
			
 
				+    will determine if the Java Native Interface (JNI) is available. If JNI is 
			
 
				+    available the implementation will use the API within hadoop to resolve a 
			
 
				+    list of groups for a user. If JNI is not available then the shell 
			
 
				+    implementation, ShellBasedUnixGroupsMapping, is used.  This implementation 
			
 
				+    shells out to the Linux/Unix environment with the 
			
 
				+    <code>bash -c groups</code> command to resolve a list of groups for a user.
			
 
				   </description>
			
 
				 </property>
			
 
				 
			
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/docs/src/documentation/content/xdocs/hdfs_permissions_guide.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/docs/src/documentation/content/xdocs/hdfs_permissions_guide.xml
@@ -92,10 +92,11 @@ There is no provision within HDFS for creating user identities, establishing gro
 
				 
			
 
				 <section><title>Group Mapping</title>
			
 
				 <p>
			
 
				-Once a username has been determined as described above, the list of groups is determined by a <em>group mapping
			
 
				-service</em>, configured by the <code>hadoop.security.group.mapping</code> property.
			
 
				-The default implementation, <code>org.apache.hadoop.security.ShellBasedUnixGroupsMapping</code>, will shell out
			
 
				-to the Unix <code>bash -c groups</code> command to resolve a list of groups for a user.
			
 
				+Once a username has been determined as described above, the list of groups is 
			
 
				+determined by a <em>group mapping service</em>, configured by the 
			
 
				+<code>hadoop.security.group.mapping</code> property. Refer to the 
			
 
				+core-default.xml for details of the <code>hadoop.security.group.mapping</code>
			
 
				+implementation.
			
 
				 </p>
			
 
				 <p>
			
 
				 An alternate implementation, which connects directly to an LDAP server to resolve the list of groups, is available