Reply
Explorer
Posts: 10
Registered: ‎05-11-2018

PartialGroupNameException errors

We are getting continuous PartialGroupNameException for a specific user account.

 

Below is the sample error snippet.

 
++++++
WARN org.apache.hadoop.security.ShellBasedUnixGroupsMapping: unable to return groups for user -SERV-CHEF
PartialGroupNameException The user name '-SERV-CHEF' is not found. id: invalid option -- 'S'
Try 'id --help' for more information.
Try 'id --help' for more information.
id: invalid option -- 'S'
Try 'id --help' for more information.
at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.resolvePartialGroupNames(ShellBasedUnixGroupsMapping.java:212)
at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getUnixGroups(ShellBasedUnixGroupsMapping.java:133)
at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getGroups(ShellBasedUnixGroupsMapping.java:72)
at org.apache.hadoop.security.Groups$GroupCacheLoader.fetchGroupList(Groups.java:368)
at org.apache.hadoop.security.Groups$GroupCacheLoader.load(Groups.java:309)
at org.apache.hadoop.security.Groups$GroupCacheLoader.load(Groups.java:267)
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3568)
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2350)
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2313)
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2228)
at com.google.common.cache.LocalCache.get(LocalCache.java:3965)
at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3969)
at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4829)
at org.apache.hadoop.security.Groups.getGroups(Groups.java:225)
at org.apache.hadoop.security.UserGroupInformation.getGroups(UserGroupInformation.java:1778)
at org.apache.hadoop.security.UserGroupInformation.getGroupNames(UserGroupInformation.java:1766)
at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.(FSPermissionChecker.java:66)
at org.apache.hadoop.hdfs.server.namenode.FSDirectory.getPermissionChecker(FSDirectory.java:3468)
at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.getPermissionChecker(FSNamesystem.java:4079)
at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.getFileInfo(FSNamesystem.java:4269)
at org.apache.hadoop.hdfs.server.namenode.NameNodeRpcServer.getFileInfo(NameNodeRpcServer.java:901)
at org.apache.hadoop.hdfs.server.namenode.AuthorizationProviderProxyClientProtocol.getFileInfo(AuthorizationProviderProxyClientProtocol.java:528)
at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolServerSideTranslatorPB.getFileInfo(ClientNamenodeProtocolServerSideTranslatorPB.java:839)
at org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos$ClientNamenodeProtocol$2.callBlockingMethod(ClientNamenodeProtocolProtos.java)
at org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:617)
at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:1073)
at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2216)
at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2212)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1920)
at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2210)
++++++
 
Source : /logs/hadoop-hdfs/hadoop-cmf-CD-HDFS-pFXTJXEX-NAMENODE-.log.out
 
Command output from name node:
 
# id -Gn -SERV-CHEF
id: invalid option -- 'S'
Try 'id --help' for more information.
You have mail in /var/spool/mail/root
#
 
# hdfs groups -SERV-CHEF
-SERV-CHEF :
#
 
Could you help me here with some insights, please?
Explorer
Posts: 10
Registered: ‎05-11-2018

Re: PartialGroupNameException errors

If I am using -- option from the command line, I am getting the group details. I am not sure why this error is being logged. Any thoughts? 

 

# groups -- -SERV-CHEF
groups: -SERV-CHEF: no such user

# groups -- -SERV-CHEF@domain

success!

 

 

Expert Contributor
Posts: 108
Registered: ‎05-19-2016

Re: PartialGroupNameException errors

Did you figure out why was it being logged?

Highlighted
Explorer
Posts: 10
Registered: ‎05-11-2018

Re: PartialGroupNameException errors

Basically issue is the Hadoop is running an id command against the user and not including
-- in front of the user if the username starts with a -.

 

1.  As per POSIX standard, a username should not start with a hyphen character, and "-". It is causing this problem.
 2. The authorization is done over Kerberos which is working fine.

3. Seems like this userid needs its Unix groups to perform some action on HDFS which is throwing this error (eg writing to a directory using group permissions). This is because the group lookup is not working due to above mentioned issue.

Announcements