[
https://issues.apache.org/jira/browse/HADOOP-12291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15266783#comment-15266783
]
Esther Kundin commented on HADOOP-12291:
----------------------------------------
Thank you for the comments. I am working on some of the fixes.
The thought behind leaving the option of using -1 was that some companies may
have a deeply nested structure and do not mind the the cost of the lookups. We
thought this would be the most flexible way of building the solution, and as
the default is set appropriately, most people would not be impacted in any
case. Do you feel strongly that the -1 option for infinite recursion should be
removed?
For your point 2, The DIRECTORY_SEARCH_TIMEOUT is a timeout set for each LDAP
query. We are not changing the semantics of the current code, as it currently
does 2 calls - one for the user and one for the group - and each of those calls
will have the full timeout set. We are raising the number of calls, but the
semantics are still the same, with the timeout being on a per-call basis.
For your point 7, I do not think you can make less LDAP queries. You will
always need at least one, in order to leave the original group lookup and the
if check will take care of subsequent calls. I can add an extra check right at
the start of goUpGroupHierarchy. This will prevent an extra query if the
function is called incorrectly.
> Add support for nested groups in LdapGroupsMapping
> --------------------------------------------------
>
> Key: HADOOP-12291
> URL: https://issues.apache.org/jira/browse/HADOOP-12291
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 2.8.0
> Reporter: Gautam Gopalakrishnan
> Assignee: Esther Kundin
> Labels: features, patch
> Fix For: 2.8.0
>
> Attachments: HADOOP-12291.001.patch, HADOOP-12291.002.patch
>
>
> When using {{LdapGroupsMapping}} with Hadoop, nested groups are not
> supported. So for example if user {{jdoe}} is part of group A which is a
> member of group B, the group mapping currently returns only group A.
> Currently this facility is available with {{ShellBasedUnixGroupsMapping}} and
> SSSD (or similar tools) but would be good to have this feature as part of
> {{LdapGroupsMapping}} directly.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
