-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/40019/
-----------------------------------------------------------
(Updated Nov. 9, 2015, 7:54 p.m.)
Review request for Ambari, Dmytro Sen and Robert Levas.
Changes
-------
I did some performance testing. It seems: not a good idea to gather all of the
users during sync (e.g.: we just want to sync some groups, and obtaining all of
the users is a must...so pagination is needed). because of that, filter query
is changed: where the model attribute can be used as a base DN a different
query is used. Also an another fix is included to the patch for group
membership pulling, subgroups are not processed in case of those are not found
in the group csv file.
Bugs: AMBARI-13767
https://issues.apache.org/jira/browse/AMBARI-13767
Repository: ambari
Description (updated)
-------
Group Membership not pulled in with FreeIPA/RHELIDM
In FreeIPA/RHEL (389 DS for the directory server implementation) the DN is not
an attribute on the user, and cannot be used in a filter like this:
(&(objectClass=posixaccount)(|(dn=uid=dstreev,cn=users,cn=accounts,dc=hdp,dc=local)(uid=uid=dstreev,cn=users,cn=accounts,dc=hdp,dc=local)))
Notes:
- MemberAttributes can be used to query/filter on the groups/users. E.g.: in
openldap the member attributes are names, like: hive,hadoop etc. -> there we
can use the actual solution. In another providers, like freeIPA the member
attributes looks like: uid=hive,cn=..., that means these attributes can be used
in queries as the baseDN (so dn part is not needed in the filter), than the
query wont fail.
- there is no group-group relation in ambari. for nested groups: currently we
don't see the user members in the upper groups. I could flatten the users to
the upper groups during the sync, but it is not the right way to do it, because
in case of we delete a user from the subgroup and we syncing only on the
subgroup, the users are not deleted from the upper groups. (we can do that, but
then we sync all of the groups..)
-> the right way should be if we would see the subgroups in the upper groups
(for that, we need the group-group relationship in the future)
Diffs (updated)
-----
ambari-server/src/main/java/org/apache/ambari/server/security/ldap/AmbariLdapDataPopulator.java
103cfcb
ambari-server/src/test/java/org/apache/ambari/server/security/ldap/AmbariLdapDataPopulatorTest.java
3f4f7b5
Diff: https://reviews.apache.org/r/40019/diff/
Testing (updated)
-------
Unit tests done.
Functional testing:
- works as expected with different ldap providers
- nested group case: groupA has a groupB member, groupB has 2 users. Group csv
file only contains groupA, then groupA and groupB were processed and 2
memberships were created.
Thanks,
Oliver Szabo
