hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chaoyu Tang (JIRA)" <>
Subject [jira] [Commented] (HIVE-13295) Improvement to LDAP search queries in HS2 LDAP Authenticator
Date Tue, 22 Mar 2016 16:10:26 GMT


Chaoyu Tang commented on HIVE-13295:


> Improvement to LDAP search queries in HS2 LDAP Authenticator
> ------------------------------------------------------------
>                 Key: HIVE-13295
>                 URL:
>             Project: Hive
>          Issue Type: Improvement
>          Components: HiveServer2
>    Affects Versions: 1.3.0
>            Reporter: Naveen Gangam
>            Assignee: Naveen Gangam
>         Attachments: HIVE-13295.1.patch, HIVE-13295.2.patch
> As more usecases, for various LDAP flavors and deployments, emerge, Hive's LDAP authentication
provider needs additional configuration properties to make it more flexible to work with different
LDAP deployments.
> For example:
> 1) Not every LDAP server supports a "memberOf" property on user entries that refer to
the groups the user belongs to. This attribute is used for group filter support. So instead
of relying on this attribute to be set, we can reverse the search and find all the groups
that have an attribute, that refers to its members, set. For example "member" or "memberUid"
> Since this atttribute name differs from ldap to ldap, its best we make this configurable,
with a default value of "member"
> 2) In HIVE-12885, a new property was introduced to make the attribute for an user/group
search key user-configurable instead of assuming its "uid" (when baseDN is set) or "cn" (otherwise).
This change was deferred from the initial patch.
> 3) LDAP Groups can have various ObjectClass'es. For example objectClass=group or objectClass=groupOfNames
or objectClass=posixGroup or objectClass=groupOfUniqueNames etc. There could be other we dont
know of.
> So we need a property to make this user-configurable with a certain default. 
> 4) There is also a bug where the lists for groupFilter and userFilter are not re-initialized
each time init() is called.
> These lists are only re-initialized if the new HiveConf has userFilter or groupFilter
set values. Otherwise, the provider will use values from previous initialization.
> I found this bug when writing some new tests.

This message was sent by Atlassian JIRA

View raw message