[ https://issues.apache.org/jira/browse/HIVE-27311?focusedWorklogId=860549&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-860549 ]
ASF GitHub Bot logged work on HIVE-27311: ----------------------------------------- Author: ASF GitHub Bot Created on: 04/May/23 11:47 Start Date: 04/May/23 11:47 Worklog Time Spent: 10m Work Description: henrib commented on code in PR #4284: URL: https://github.com/apache/hive/pull/4284#discussion_r1184904759 ########## service/src/java/org/apache/hive/service/auth/ldap/DirSearch.java: ########## @@ -34,6 +34,16 @@ public interface DirSearch extends Closeable { */ String findUserDn(String user) throws NamingException; + /** + * Finds user's distinguished name. + * @param user username + * @param userSearchFilter Generic LDAP Search filter for ex: (&(uid={0})(objectClass=person)) + * @param baseDn LDAP BaseDN for user searches for ex: dc=apache,dc=org + * @return DN for the specific user if exists, null otherwise + * @throws NamingException + */ + String findUserDnBySearch(String user, String userSearchFilter, String baseDn) throws NamingException; Review Comment: I'm confused and missing the obvious; I'm just suggesting renaming: `String findUserDnBySearch(String user, String userSearchFilter, String baseDn) throws NamingException; ` to `String findUserDn(String user, String userSearchFilter, String baseDn) throws NamingException;` The new method with search arguments seem a nice extension (overload) to the original one. Issue Time Tracking ------------------- Worklog Id: (was: 860549) Time Spent: 1h 20m (was: 1h 10m) > Improve LDAP auth to support generic search bind authentication > --------------------------------------------------------------- > > Key: HIVE-27311 > URL: https://issues.apache.org/jira/browse/HIVE-27311 > Project: Hive > Issue Type: Improvement > Components: HiveServer2 > Affects Versions: 4.0.0-alpha-2 > Reporter: Naveen Gangam > Assignee: Naveen Gangam > Priority: Major > Labels: pull-request-available > Time Spent: 1h 20m > Remaining Estimate: 0h > > Hive's LDAP auth configuration is home-baked and a bit specific to hive. This > was by design intending to be as flexible as it can be for accommodating > various LDAP implementations. But this does not necessarily make it easy to > configure hive with such custom values for ldap filtering when most other > components accept generic ldap filters, for example: search bind filters. > There has to be a layer of translation to have it configured. Instead we can > enhance Hive to support generic search bind filters. > To support this, I am proposing adding NEW alternate configurations. > hive.server2.authentication.ldap.userSearchFilter > hive.server2.authentication.ldap.groupSearchFilter > hive.server2.authentication.ldap.groupBaseDN > Search bind filtering will also use EXISTING config param > hive.server2.authentication.ldap.baseDN > This is alternate configuration and will be used first if specified. So users > can continue to use existing configuration as well. These changes should not > interfere with existing configurations. -- This message was sent by Atlassian Jira (v8.20.10#820010)