12 years ago · 467e811003
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -118,6 +118,9 @@ Release 2.0.3-alpha - Unreleased
 
															     HADOOP-9192. Move token related request/response messages to common.
														
 
															     (suresh)
														
 
															+    HADOOP-8712. Change default hadoop.security.group.mapping to
														
 
															+    JniBasedUnixGroupsNetgroupMappingWithFallback (Robert Parker via todd)
														
 
															+
														
 
															   OPTIMIZATIONS
														
 
															     HADOOP-8866. SampleQuantiles#query is O(N^2) instead of O(N). (Andrew Wang
														
--- a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
+++ b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
@@ -80,9 +80,17 @@
 
															 <property>
														
 
															   <name>hadoop.security.group.mapping</name>
														
 
															-  <value>org.apache.hadoop.security.ShellBasedUnixGroupsMapping</value>
														
 
															+  <value>org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback</value>
														
 
															   <description>
														
 
															-    Class for user to group mapping (get groups for a given user) for ACL
														
 
															+    Class for user to group mapping (get groups for a given user) for ACL. 
														
 
															+    The default implementation,
														
 
															+    org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback, 
														
 
															+    will determine if the Java Native Interface (JNI) is available. If JNI is 
														
 
															+    available the implementation will use the API within hadoop to resolve a 
														
 
															+    list of groups for a user. If JNI is not available then the shell 
														
 
															+    implementation, ShellBasedUnixGroupsMapping, is used.  This implementation 
														
 
															+    shells out to the Linux/Unix environment with the 
														
 
															+    <code>bash -c groups</code> command to resolve a list of groups for a user.
														
 
															   </description>
														
 
															 </property>
														
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/docs/src/documentation/content/xdocs/hdfs_permissions_guide.xml
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/docs/src/documentation/content/xdocs/hdfs_permissions_guide.xml
@@ -92,10 +92,11 @@ There is no provision within HDFS for creating user identities, establishing gro
 
															 <section><title>Group Mapping</title>
														
 
															 <p>
														
 
															-Once a username has been determined as described above, the list of groups is determined by a <em>group mapping
														
 
															-service</em>, configured by the <code>hadoop.security.group.mapping</code> property.
														
 
															-The default implementation, <code>org.apache.hadoop.security.ShellBasedUnixGroupsMapping</code>, will shell out
														
 
															-to the Unix <code>bash -c groups</code> command to resolve a list of groups for a user.
														
 
															+Once a username has been determined as described above, the list of groups is 
														
 
															+determined by a <em>group mapping service</em>, configured by the 
														
 
															+<code>hadoop.security.group.mapping</code> property. Refer to the 
														
 
															+core-default.xml for details of the <code>hadoop.security.group.mapping</code>
														
 
															+implementation.
														
 
															 </p>
														
 
															 <p>
														
 
															 An alternate implementation, which connects directly to an LDAP server to resolve the list of groups, is available