hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Esther Kundin (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-12291) Add support for nested groups in LdapGroupsMapping
Date Mon, 02 May 2016 15:28:12 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-12291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15266783#comment-15266783

Esther Kundin commented on HADOOP-12291:

Thank you for the comments.  I am working on some of the fixes.

The  thought behind leaving the option of using -1 was that some companies may have a deeply
nested structure and do not mind the the cost of the lookups.  We thought this would be the
most flexible way of building the solution, and as the default is set appropriately, most
people would not be impacted in any case.  Do you feel strongly that the -1 option for infinite
recursion should be removed?

For your point 2, The DIRECTORY_SEARCH_TIMEOUT is a timeout set for each LDAP query.  We are
not changing the semantics of the current code, as it currently does 2 calls - one for the
user and one for the group - and each of those calls will have the full timeout set.  We are
raising the number of calls, but the semantics are still the same, with the timeout being
on a per-call basis.

For your point 7, I do not think you can make less LDAP queries.  You will always need at
least one, in order to leave the original group lookup and the if check will take care of
subsequent calls. I can add an extra check right at the start of goUpGroupHierarchy.  This
will prevent an extra query if the function is called incorrectly.

> Add support for nested groups in LdapGroupsMapping
> --------------------------------------------------
>                 Key: HADOOP-12291
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12291
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.8.0
>            Reporter: Gautam Gopalakrishnan
>            Assignee: Esther Kundin
>              Labels: features, patch
>             Fix For: 2.8.0
>         Attachments: HADOOP-12291.001.patch, HADOOP-12291.002.patch
> When using {{LdapGroupsMapping}} with Hadoop, nested groups are not supported. So for
example if user {{jdoe}} is part of group A which is a member of group B, the group mapping
currently returns only group A.
> Currently this facility is available with {{ShellBasedUnixGroupsMapping}} and SSSD (or
similar tools) but would be good to have this feature as part of {{LdapGroupsMapping}} directly.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message