hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Illya Yalovyy (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HIVE-15076) Improve scalability of LDAP authentication provider group filter
Date Wed, 26 Oct 2016 20:17:58 GMT
Illya Yalovyy created HIVE-15076:
------------------------------------

             Summary: Improve scalability of LDAP authentication provider group filter
                 Key: HIVE-15076
                 URL: https://issues.apache.org/jira/browse/HIVE-15076
             Project: Hive
          Issue Type: Improvement
          Components: Authentication
    Affects Versions: 2.1.0
            Reporter: Illya Yalovyy
            Assignee: Illya Yalovyy


Current implementation uses following algorithm:
#   For a given user find all groups that user is a member of. (A list of LDAP groups is constructed
as a result of that request)
#  Match this list of groups with provided group filter.
 
Time/Memory complexity of this approach is O(N) on client side, where N – is a number of
groups the user has membership in. On a large directory (800+ groups per user) we can observe
up to 2x performance degradation and failures because of size of LDAP response (LDAP: error
code 4 - Sizelimit Exceeded).
 
Some Directory Services (Microsoft Active Directory for instance) provide a virtual attribute
for User Object that contains a list of groups that user belongs to. This attribute can be
used to quickly determine whether this user passes or fails the group filter.   



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message