Mailing-List: contact dev-help@ambari.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@ambari.apache.org
Content-Type: multipart/alternative;
 boundary="===============1227780181369422026=="
MIME-Version: 1.0
Subject: Re: Review Request 40019: LDAP - Group Membership not pulled in with
 FreeIPA/RHELIDM
From: "Oliver Szabo" <oszabo@hortonworks.com>
To: "Robert Levas" <rlevas@hortonworks.com>,
 "Dmytro Sen" <dsen@hortonworks.com>,
 "Robert Nettleton" <rnettleton@hortonworks.com>,
 "Sumit Mohanty" <smohanty@hortonworks.com>
Cc: "Ambari" <dev@ambari.apache.org>, "Oliver Szabo" <oszabo@hortonworks.com>
Date: Thu, 19 Nov 2015 10:19:51 -0000
Message-ID: <20151119101951.6715.56333@reviews.apache.org>
Auto-Submitted: auto-generated
Sender: "Oliver Szabo" <noreply@reviews.apache.org>
References: <20151111174833.1681.36965@reviews.apache.org>
In-Reply-To: <20151111174833.1681.36965@reviews.apache.org>
Reply-To: "Oliver Szabo" <oszabo@hortonworks.com>

--===============1227780181369422026==
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/40019/
-----------------------------------------------------------

(Updated Nov. 19, 2015, 10:19 a.m.)


Review request for Ambari, Dmytro Sen, Robert Levas, Robert Nettleton, and Sumit Mohanty.


Bugs: AMBARI-13767
    https://issues.apache.org/jira/browse/AMBARI-13767


Repository: ambari


Description
-------

Group Membership not pulled in with FreeIPA/RHELIDM

In FreeIPA/RHEL (389 DS for the directory server implementation) the DN is not an attribute on the user, and cannot be used in a filter like this:

(&(objectClass=posixaccount)(|(dn=uid=dstreev,cn=users,cn=accounts,dc=hdp,dc=local)(uid=uid=dstreev,cn=users,cn=accounts,dc=hdp,dc=local)))


Notes: 
 - MemberAttributes can be used to query/filter on the groups/users. E.g.: in openldap the member attributes are names, like: hive,hadoop etc. -> there we can use the actual solution. In another providers, like freeIPA the member attributes looks like: uid=hive,cn=..., that means these attributes can be used in queries as the baseDN (so dn part is not needed in the filter), than the query wont fail.
 
 - there is no group-group relation in ambari. for nested groups: currently we don't see the user members in the upper groups. I could flatten the users to the upper groups during the sync, but it is not the right way to do it, because in case of we delete a user from the subgroup and we syncing only on the subgroup, the users are not deleted from the upper groups. (we can do that, but then we sync all of the groups..) 
-> the right way should be if we would see the subgroups in the upper groups (for that, we need the group-group relationship in the future)


Diffs (updated)
-----

  ambari-server/src/main/java/org/apache/ambari/server/security/ldap/AmbariLdapDataPopulator.java 103cfcb 
  ambari-server/src/test/java/org/apache/ambari/server/security/ldap/AmbariLdapDataPopulatorTest.java 3f4f7b5 

Diff: https://reviews.apache.org/r/40019/diff/


Testing
-------

Unit tests done.

Functional testing:
- works as expected with different ldap providers
- nested group case: groupA has a groupB member, groupB has 2 users. Group csv file only contains groupA, then groupA and groupB were processed and 2 memberships were created.


Thanks,

Oliver Szabo


--===============1227780181369422026==--