hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brandon Li (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-8943) Support multiple group mapping providers
Date Tue, 17 Jun 2014 00:03:02 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-8943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14033212#comment-14033212

Brandon Li commented on HADOOP-8943:

The patch looks pretty nice. A few comments:

1. for the change in the public interface GroupMappingServiceProvider.java. We can use the
same config key already defined in CommonCofigurationKeysPublic instead of defining a new

+  public static final String GROUP_MAPPING_CONFIG_PREFIX = "hadoop.security.group.mapping";

2. when multiple domains are configured and LdapGroupsMapping is used multiple times for all
the domains(as in the example given in core-site.xml). We may also need multiple ladap password
and password file config keys for different ldap servers. Currently all ldap servers use the
same configuration in hadoop.security.group.mapping.ldap.ssl.keystore.password.file and hadoop.security.group.mapping.ldap.bind.password.file.

3. you may want to change MAPPING_PROVIDERS_KEY to MAPPING_PROVIDERS_CONFIG_PREFIX to be consistent

4. please add java doc for domain param in Groups#getGroups, and doGetGroups

The patch needs to be rebased too.

> Support multiple group mapping providers
> ----------------------------------------
>                 Key: HADOOP-8943
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8943
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Kai Zheng
>            Assignee: Kai Zheng
>             Fix For: 2.5.0
>         Attachments: HADOOP-8943.patch, HADOOP-8943.patch, HADOOP-8943.patch
>   Original Estimate: 504h
>  Remaining Estimate: 504h
>   Discussed with Natty about LdapGroupMapping, we need to improve it so that: 
> 1. It's possible to do different group mapping for different users/principals. For example,
AD user should go to LdapGroupMapping service for group, but service principals such as hdfs,
mapred can still use the default one ShellBasedUnixGroupsMapping; 
> 2. Multiple ADs can be supported to do LdapGroupMapping; 
> 3. It's possible to configure what kind of users/principals (regarding domain/realm is
an option) should use which group mapping service/mechanism.
> 4. It's possible to configure and combine multiple existing mapping providers without
writing codes implementing new one.

This message was sent by Atlassian JIRA

View raw message