Naveen Gangam created HIVE-14513:
------------------------------------
Summary: Enhance custom query feature in LDAP atn to support
resultset of ldap groups
Key: HIVE-14513
URL: https://issues.apache.org/jira/browse/HIVE-14513
Project: Hive
Issue Type: Bug
Components: HiveServer2
Affects Versions: 1.0.0
Reporter: Naveen Gangam
Assignee: Naveen Gangam
LDAP Authenticator can be configured to use a result set from a LDAP query to
authenticate. However, is it expected that this LDAP query would only result a
set of users (aka full DNs for the users in LDAP).
However, its not always straightforward to be able to author queries that
return users. For example, say you would like to allow "all users from group1
and group2" to be authenticated. The LDAP query has to return a union of all
members of the group1 and group2.
For example, one common configuration is that groups contain a list of its users
"dn: uid=group1,ou=Groups,dc=example,dc=com",
"distinguishedName: uid=group1,ou=Groups,dc=example,dc=com",
"objectClass: top",
"objectClass: groupOfNames",
"objectClass: ExtensibleObject",
"cn: group1",
"ou: Groups",
"sn: group1",
"member: uid=user1,ou=People,dc=example,dc=com",
The query
{{(&(objectClass=groupOfNames)(|(cn=group1)(cn=group2)))}}
will return the entries
uid=group1,ou=Groups,dc=example,dc=com
uid=group2,ou=Groups,dc=example,dc=com
but there is no means to form a query that would return just the values of
"member" attributes. (ldap client tools are able to do by filtering out the
attributes on these entries.
So it will be useful to have such support to be able to specify queries that
return groups.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
