hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aihua Xu (JIRA)" <>
Subject [jira] [Commented] (HIVE-15076) Improve scalability of LDAP authentication provider group filter
Date Wed, 28 Dec 2016 14:42:58 GMT


Aihua Xu commented on HIVE-15076:

Sorry for the late review. I didn't see your message. 

Looks good to me. +1.

> Improve scalability of LDAP authentication provider group filter
> ----------------------------------------------------------------
>                 Key: HIVE-15076
>                 URL:
>             Project: Hive
>          Issue Type: Improvement
>          Components: Authentication
>    Affects Versions: 2.1.0
>            Reporter: Illya Yalovyy
>            Assignee: Illya Yalovyy
>         Attachments: HIVE-15076.1.patch, HIVE-15076.2.patch, HIVE-15076.3.patch, HIVE-15076.4.patch,
> Current implementation uses following algorithm:
> #   For a given user find all groups that user is a member of. (A list of LDAP groups
is constructed as a result of that request)
> #  Match this list of groups with provided group filter.
> Time/Memory complexity of this approach is O(N) on client side, where N – is a number
of groups the user has membership in. On a large directory (800+ groups per user) we can observe
up to 2x performance degradation and failures because of size of LDAP response (LDAP: error
code 4 - Sizelimit Exceeded).
> Some Directory Services (Microsoft Active Directory for instance) provide a virtual attribute
for User Object that contains a list of groups that user belongs to. This attribute can be
used to quickly determine whether this user passes or fails the group filter.   

This message was sent by Atlassian JIRA

View raw message