hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mingliang Liu (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-13105) Support timeouts in LDAP queries in LdapGroupsMapping.
Date Fri, 20 May 2016 01:29:12 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-13105?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15292516#comment-15292516

Mingliang Liu commented on HADOOP-13105:

Thanks [~jojochuang] and [~cnauroth] for the review and comment. The next patch (on its way)
will make both connect and read timeout configurable. As to the name, do you have any suggestion?
I mean, we're setting {{com.sun.jndi.ldap.connect.timeout}} in the LDAP environment, and we
may need a wrapped hadoop name.

As to the test, I find when creating {{InitialDirContext()}} it will authenticate when connects
and binds. This seems different from the stateless HTTP request as {{TestWebHdfsTimeouts}}.
See the [doc here|https://docs.oracle.com/javase/jndi/tutorial/ldap/security/ldap.html]. I'm
not aware of any easy way in the fake LDAP server to make the client LdapCtx connected. In
v0 patch, we're testing the connection timeout, instead of read timeout as the client has
never connected to the server. As the following exception stack.
2016-05-19 16:49:23,225 INFO  security.TestLdapGroupsMapping (TestLdapGroupsMapping.java:testLdapReadTimeout(245))
- Got the exception while LDAP querying: 
javax.naming.NamingException: LDAP response read timed out, timeout used:5000ms.
	at com.sun.jndi.ldap.Connection.readReply(Connection.java:490)
	at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:365)
	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788)
	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
	at javax.naming.InitialContext.init(InitialContext.java:244)
	at javax.naming.InitialContext.<init>(InitialContext.java:216)
	at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
	at org.apache.hadoop.security.LdapGroupsMapping.getDirContext(LdapGroupsMapping.java:437)
	at org.apache.hadoop.security.LdapGroupsMapping.doGetGroups(LdapGroupsMapping.java:366)
	at org.apache.hadoop.security.TestLdapGroupsMapping.testLdapReadTimeout(TestLdapGroupsMapping.java:242)

Choices are:
# test connection timeout only, not ideal
# implement a mini LDAP server which can handle real LADP requests
# mock (assuming Java Naming performs well with given env variables)

I'm working on the 2nd option. Any comment?

> Support timeouts in LDAP queries in LdapGroupsMapping.
> ------------------------------------------------------
>                 Key: HADOOP-13105
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13105
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Chris Nauroth
>            Assignee: Mingliang Liu
>         Attachments: HADOOP-13105.000.patch
> {{LdapGroupsMapping}} currently does not set timeouts on the LDAP queries.  This can
create a risk of a very long/infinite wait on a connection.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message