[
https://issues.apache.org/jira/browse/HIVE-27311?focusedWorklogId=860384&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-860384
]
ASF GitHub Bot logged work on HIVE-27311:
-----------------------------------------
Author: ASF GitHub Bot
Created on: 03/May/23 16:25
Start Date: 03/May/23 16:25
Worklog Time Spent: 10m
Work Description: henrib commented on code in PR #4284:
URL: https://github.com/apache/hive/pull/4284#discussion_r1183920316
##########
service/src/java/org/apache/hive/service/auth/ldap/DirSearch.java:
##########
@@ -34,6 +34,16 @@ public interface DirSearch extends Closeable {
*/
String findUserDn(String user) throws NamingException;
+ /**
+ * Finds user's distinguished name.
+ * @param user username
+ * @param userSearchFilter Generic LDAP Search filter for ex:
(&(uid={0})(objectClass=person))
+ * @param baseDn LDAP BaseDN for user searches for ex: dc=apache,dc=org
+ * @return DN for the specific user if exists, null otherwise
+ * @throws NamingException
+ */
+ String findUserDnBySearch(String user, String userSearchFilter, String
baseDn) throws NamingException;
Review Comment:
Couldn't we reuse the 'findUserDn' method name (ie overload) for these new
methods?
Issue Time Tracking
-------------------
Worklog Id: (was: 860384)
Time Spent: 0.5h (was: 20m)
> Improve LDAP auth to support generic search bind authentication
> ---------------------------------------------------------------
>
> Key: HIVE-27311
> URL: https://issues.apache.org/jira/browse/HIVE-27311
> Project: Hive
> Issue Type: Improvement
> Components: HiveServer2
> Affects Versions: 4.0.0-alpha-2
> Reporter: Naveen Gangam
> Assignee: Naveen Gangam
> Priority: Major
> Labels: pull-request-available
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Hive's LDAP auth configuration is home-baked and a bit specific to hive. This
> was by design intending to be as flexible as it can be for accommodating
> various LDAP implementations. But this does not necessarily make it easy to
> configure hive with such custom values for ldap filtering when most other
> components accept generic ldap filters, for example: search bind filters.
> There has to be a layer of translation to have it configured. Instead we can
> enhance Hive to support generic search bind filters.
> To support this, I am proposing adding NEW alternate configurations.
> hive.server2.authentication.ldap.userSearchFilter
> hive.server2.authentication.ldap.groupSearchFilter
> hive.server2.authentication.ldap.groupBaseDN
> Search bind filtering will also use EXISTING config param
> hive.server2.authentication.ldap.baseDN
> This is alternate configuration and will be used first if specified. So users
> can continue to use existing configuration as well. These changes should not
> interfere with existing configurations.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
