hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Purtell (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-10919) [VisibilityController] ScanLabelGenerator using LDAP
Date Sun, 06 Apr 2014 09:46:16 GMT

    [ https://issues.apache.org/jira/browse/HBASE-10919?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13961364#comment-13961364
] 

Andrew Purtell commented on HBASE-10919:
----------------------------------------

We could start by doing something similar to Hadoop's LDAP group mapper (see org.apache.hadoop.security.LdapGroupsMapping).
It would be familiar to admins who may have set that up before already.

You configure this provider with a user and password used to bind to the LDAP server, and
the location of the LDAP server. Then, the base distinguished name to use for searches, and
a filter expression to apply when searching for user objects, e.g.
{noformat}
(&(objectClass=user)(cn={0}))
{noformat}
We would then need to add new configuration for filtering out the object attributes we are
not interested in. Any attributes remaining could become auths. 

Because the SLGs run inside the RegionServer processes with superuser privileges, it would
be possible for them to add new labels to the system label dictionary dynamically as needed.
Therefore the universe of labels/auth names would not need to be defined up front for new
attributes found on relevant objects returned from LDAP searches.

Because this SLG would otherwise want to query LDAP for every user request, we would want
to introduce caching of LDAP query responses with a limited lifetime, perhaps 5 or 10 minutes,
and reuse the results of previous searches until they expire. 

> [VisibilityController] ScanLabelGenerator using LDAP
> ----------------------------------------------------
>
>                 Key: HBASE-10919
>                 URL: https://issues.apache.org/jira/browse/HBASE-10919
>             Project: HBase
>          Issue Type: Sub-task
>            Reporter: Andrew Purtell
>             Fix For: 0.99.0, 0.98.2
>
>
> A ScanLabelGenerator that queries an external service, using the LDAP protocol, for a
set of attributes corresponding to the principal represented by the request UGI, and converts
any returned in the response to additional auths in the effective set.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message