hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anu Engineer (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-12291) Add support for nested groups in LdapGroupsMapping
Date Mon, 02 May 2016 22:13:13 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-12291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15267604#comment-15267604

Anu Engineer commented on HADOOP-12291:

bq. The thought behind leaving the option of using -1 was that some companies may have a deeply
nested structure and do not mind the the cost of the lookups.

I do see the use case, but I am more worried that someone will have a slow LDAP/AD server
and will cause a general slowdown of Namenode.

Also another issue that I see is that with infinite recursion we really have no control over
time out, based on this patch, time out is per query. So in the infinite recursion scheme
the time is number of times you recur multiplied by time out. At that point {{timeOut}} really
has no meaning. As you pointed out, in the current scheme it is {{2 * timeOut}}. In your new
scheme it will be {{max(Recur Depth, Configured Value) * timeOut}}. But in the infinite scheme,
it is N * timeout where N is dependent on some values in AD. 

I am worried that support cost for such a feature would be too high, Also if we really need
it, we know that with your patch it is an easy change to make.

bq. The DIRECTORY_SEARCH_TIMEOUT is a timeout set for each LDAP query.
That works very well since we know the MAX_UPPER bound for the query. So max time is maxDepth
* time out. Would you care to document that with your settings? 

bq. I do not think you can make less LDAP queries. 
Thank you, good to know.

I am looking forward to your next patch.

> Add support for nested groups in LdapGroupsMapping
> --------------------------------------------------
>                 Key: HADOOP-12291
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12291
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.8.0
>            Reporter: Gautam Gopalakrishnan
>            Assignee: Esther Kundin
>              Labels: features, patch
>             Fix For: 2.8.0
>         Attachments: HADOOP-12291.001.patch, HADOOP-12291.002.patch
> When using {{LdapGroupsMapping}} with Hadoop, nested groups are not supported. So for
example if user {{jdoe}} is part of group A which is a member of group B, the group mapping
currently returns only group A.
> Currently this facility is available with {{ShellBasedUnixGroupsMapping}} and SSSD (or
similar tools) but would be good to have this feature as part of {{LdapGroupsMapping}} directly.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message