Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

PartialGroupNameException errors

avatar
Explorer

We are getting continuous PartialGroupNameException for a specific user account.

 

Below is the sample error snippet.

 
++++++
WARN org.apache.hadoop.security.ShellBasedUnixGroupsMapping: unable to return groups for user -SERV-CHEF
PartialGroupNameException The user name '-SERV-CHEF' is not found. id: invalid option -- 'S'
Try 'id --help' for more information.
Try 'id --help' for more information.
id: invalid option -- 'S'
Try 'id --help' for more information.
at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.resolvePartialGroupNames(ShellBasedUnixGroupsMapping.java:212)
at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getUnixGroups(ShellBasedUnixGroupsMapping.java:133)
at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getGroups(ShellBasedUnixGroupsMapping.java:72)
at org.apache.hadoop.security.Groups$GroupCacheLoader.fetchGroupList(Groups.java:368)
at org.apache.hadoop.security.Groups$GroupCacheLoader.load(Groups.java:309)
at org.apache.hadoop.security.Groups$GroupCacheLoader.load(Groups.java:267)
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3568)
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2350)
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2313)
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2228)
at com.google.common.cache.LocalCache.get(LocalCache.java:3965)
at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3969)
at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4829)
at org.apache.hadoop.security.Groups.getGroups(Groups.java:225)
at org.apache.hadoop.security.UserGroupInformation.getGroups(UserGroupInformation.java:1778)
at org.apache.hadoop.security.UserGroupInformation.getGroupNames(UserGroupInformation.java:1766)
at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.(FSPermissionChecker.java:66)
at org.apache.hadoop.hdfs.server.namenode.FSDirectory.getPermissionChecker(FSDirectory.java:3468)
at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.getPermissionChecker(FSNamesystem.java:4079)
at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.getFileInfo(FSNamesystem.java:4269)
at org.apache.hadoop.hdfs.server.namenode.NameNodeRpcServer.getFileInfo(NameNodeRpcServer.java:901)
at org.apache.hadoop.hdfs.server.namenode.AuthorizationProviderProxyClientProtocol.getFileInfo(AuthorizationProviderProxyClientProtocol.java:528)
at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolServerSideTranslatorPB.getFileInfo(ClientNamenodeProtocolServerSideTranslatorPB.java:839)
at org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos$ClientNamenodeProtocol$2.callBlockingMethod(ClientNamenodeProtocolProtos.java)
at org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:617)
at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:1073)
at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2216)
at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2212)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1920)
at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2210)
++++++
 
Source : /logs/hadoop-hdfs/hadoop-cmf-CD-HDFS-pFXTJXEX-NAMENODE-.log.out
 
Command output from name node:
 
# id -Gn -SERV-CHEF
id: invalid option -- 'S'
Try 'id --help' for more information.
You have mail in /var/spool/mail/root
#
 
# hdfs groups -SERV-CHEF
-SERV-CHEF :
#
 
Could you help me here with some insights, please?
3 REPLIES 3

avatar
Explorer

If I am using -- option from the command line, I am getting the group details. I am not sure why this error is being logged. Any thoughts? 

 

# groups -- -SERV-CHEF
groups: -SERV-CHEF: no such user

# groups -- -SERV-CHEF@domain

success!

 

 

avatar
Expert Contributor

Did you figure out why was it being logged?

avatar
Explorer

Basically issue is the Hadoop is running an id command against the user and not including
-- in front of the user if the username starts with a -.

 

1.  As per POSIX standard, a username should not start with a hyphen character, and "-". It is causing this problem.
 2. The authorization is done over Kerberos which is working fine.

3. Seems like this userid needs its Unix groups to perform some action on HDFS which is throwing this error (eg writing to a directory using group permissions). This is because the group lookup is not working due to above mentioned issue.