[jira] [Commented] (HIVE-13295) Improvement to LDAP search queries in HS2 LDAP Authenticator

Sat, 19 Mar 2016 20:15:58 -0700 

    [ 
https://issues.apache.org/jira/browse/HIVE-13295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15198645#comment-15198645
 ] 

Chaoyu Tang commented on HIVE-13295:
------------------------------------

I left some comments in the RB, please take a look.

> Improvement to LDAP search queries in HS2 LDAP Authenticator
> ------------------------------------------------------------
>
>                 Key: HIVE-13295
>                 URL: https://issues.apache.org/jira/browse/HIVE-13295
>             Project: Hive
>          Issue Type: Improvement
>          Components: HiveServer2
>    Affects Versions: 1.3.0
>            Reporter: Naveen Gangam
>            Assignee: Naveen Gangam
>         Attachments: HIVE-13295.1.patch
>
>
> As more usecases, for various LDAP flavors and deployments, emerge, Hive's 
> LDAP authentication provider needs additional configuration properties to 
> make it more flexible to work with different LDAP deployments.
> For example:
> 1) Not every LDAP server supports a "memberOf" property on user entries that 
> refer to the groups the user belongs to. This attribute is used for group 
> filter support. So instead of relying on this attribute to be set, we can 
> reverse the search and find all the groups that have an attribute, that 
> refers to its members, set. For example "member" or "memberUid" etc.
> Since this atttribute name differs from ldap to ldap, its best we make this 
> configurable, with a default value of "member"
> 2) In HIVE-12885, a new property was introduced to make the attribute for an 
> user/group search key user-configurable instead of assuming its "uid" (when 
> baseDN is set) or "cn" (otherwise). This change was deferred from the initial 
> patch.
> 3) LDAP Groups can have various ObjectClass'es. For example objectClass=group 
> or objectClass=groupOfNames or objectClass=posixGroup or 
> objectClass=groupOfUniqueNames etc. There could be other we dont know of.
> So we need a property to make this user-configurable with a certain default. 
> 4) There is also a bug where the lists for groupFilter and userFilter are not 
> re-initialized each time init() is called.
> These lists are only re-initialized if the new HiveConf has userFilter or 
> groupFilter set values. Otherwise, the provider will use values from previous 
> initialization.
> I found this bug when writing some new tests.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to