[
https://issues.apache.org/jira/browse/HADOOP-13105?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15292516#comment-15292516
]
Mingliang Liu commented on HADOOP-13105:
----------------------------------------
Thanks [~jojochuang] and [~cnauroth] for the review and comment. The next patch
(on its way) will make both connect and read timeout configurable. As to the
name, do you have any suggestion? I mean, we're setting
{{com.sun.jndi.ldap.connect.timeout}} in the LDAP environment, and we may need
a wrapped hadoop name.
As to the test, I find when creating {{InitialDirContext()}} it will
authenticate when connects and binds. This seems different from the stateless
HTTP request as {{TestWebHdfsTimeouts}}. See the [doc
here|https://docs.oracle.com/javase/jndi/tutorial/ldap/security/ldap.html]. I'm
not aware of any easy way in the fake LDAP server to make the client LdapCtx
connected. In v0 patch, we're testing the connection timeout, instead of read
timeout as the client has never connected to the server. As the following
exception stack.
{code}
2016-05-19 16:49:23,225 INFO security.TestLdapGroupsMapping
(TestLdapGroupsMapping.java:testLdapReadTimeout(245)) - Got the exception while
LDAP querying:
javax.naming.NamingException: LDAP response read timed out, timeout used:5000ms.
at com.sun.jndi.ldap.Connection.readReply(Connection.java:490)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:365)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.InitialContext.<init>(InitialContext.java:216)
at
javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
at
org.apache.hadoop.security.LdapGroupsMapping.getDirContext(LdapGroupsMapping.java:437)
at
org.apache.hadoop.security.LdapGroupsMapping.doGetGroups(LdapGroupsMapping.java:366)
at
org.apache.hadoop.security.TestLdapGroupsMapping.testLdapReadTimeout(TestLdapGroupsMapping.java:242)
{code}
Choices are:
# test connection timeout only, not ideal
# implement a mini LDAP server which can handle real LADP requests
# mock (assuming Java Naming performs well with given env variables)
I'm working on the 2nd option. Any comment?
> Support timeouts in LDAP queries in LdapGroupsMapping.
> ------------------------------------------------------
>
> Key: HADOOP-13105
> URL: https://issues.apache.org/jira/browse/HADOOP-13105
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Chris Nauroth
> Assignee: Mingliang Liu
> Attachments: HADOOP-13105.000.patch
>
>
> {{LdapGroupsMapping}} currently does not set timeouts on the LDAP queries.
> This can create a risk of a very long/infinite wait on a connection.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
