Naveen Gangam created HIVE-13295:
------------------------------------
Summary: Improvement to LDAP search queries in HS2 LDAP
Authenticator
Key: HIVE-13295
URL: https://issues.apache.org/jira/browse/HIVE-13295
Project: Hive
Issue Type: Improvement
Components: HiveServer2
Affects Versions: 1.3.0
Reporter: Naveen Gangam
Assignee: Naveen Gangam
As more usecases, for various LDAP flavors and deployments, emerge, Hive's LDAP
authentication provider needs additional configuration properties to make it
more flexible to work with different LDAP deployments.
For example:
1) Not every LDAP server supports a "memberOf" property on user entries that
refer to the groups the user belongs to. This attribute is used for group
filter support. So instead of relying on this attribute to be set, we can
reverse the search and find all the groups that have an attribute, that refers
to its members, set. For example "member" or "memberUid" etc.
Since this atttribute name differs from ldap to ldap, its best we make this
configurable, with a default value of "member"
2) In HIVE-12885, a new property was introduced to make the attribute for an
user/group search key user-configurable instead of assuming its "uid" (when
baseDN is set) or "cn" (otherwise). This change was deferred from the initial
patch.
3) LDAP Groups can have various ObjectClass'es. For example objectClass=group
or objectClass=groupOfNames or objectClass=posixGroup or
objectClass=groupOfUniqueNames etc. There could be other we dont know of.
So we need a property to make this user-configurable with a certain default.
4) There is also a bug where the lists for groupFilter and userFilter are not
re-initialized each time init() is called.
These lists are only re-initialized if the new HiveConf has userFilter or
groupFilter set values. Otherwise, the provider will use values from previous
initialization.
I found this bug when writing some new tests.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
