[ https://issues.apache.org/jira/browse/HIVE-27311?focusedWorklogId=861137&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-861137 ]
ASF GitHub Bot logged work on HIVE-27311: ----------------------------------------- Author: ASF GitHub Bot Created on: 09/May/23 07:58 Start Date: 09/May/23 07:58 Worklog Time Spent: 10m Work Description: dengzhhu653 commented on code in PR #4284: URL: https://github.com/apache/hive/pull/4284#discussion_r1188273010 ########## service/src/java/org/apache/hive/service/auth/ldap/UserGroupSearchFilterFactory.java: ########## @@ -0,0 +1,105 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hive.service.auth.ldap; + +import com.google.common.base.Strings; + +import java.util.List; +import javax.naming.NamingException; +import javax.security.sasl.AuthenticationException; +import org.apache.hadoop.hive.conf.HiveConf; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * A factory for a {@link Filter} based on user and group search filters. + * <br> + * The produced filter object filters out all users that are not found in the search result + * of the query provided in Hive configuration. + * Atleast one search criteria is REQUIRED. + * Configuration could have Usersearch filter or Groupsearch filter or both. + * @see HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERSEARCHFILTER + * @see HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_BASEDN + * @see HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPSEARCHFILTER + * @see HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPBASEDN + */ +public class UserGroupSearchFilterFactory implements FilterFactory { + + /** + * {@inheritDoc} + */ + @Override + public Filter getInstance(HiveConf conf) { + String userSearchFilter = conf.get(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERSEARCHFILTER.varname); + String userSearchBaseDN = conf.get(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_BASEDN.varname); + String groupSearchFilter = conf.get(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPSEARCHFILTER.varname); + String groupSearchBaseDN = conf.get(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPBASEDN.varname); + + // Both UserSearch and GroupSearch cannot be null or empty. + if (Strings.isNullOrEmpty(userSearchFilter) && Review Comment: nit: looks like the groupSearchFilter and groupSearchBaseDN can be empty by the example Issue Time Tracking ------------------- Worklog Id: (was: 861137) Time Spent: 1h 50m (was: 1h 40m) > Improve LDAP auth to support generic search bind authentication > --------------------------------------------------------------- > > Key: HIVE-27311 > URL: https://issues.apache.org/jira/browse/HIVE-27311 > Project: Hive > Issue Type: Improvement > Components: HiveServer2 > Affects Versions: 4.0.0-alpha-2 > Reporter: Naveen Gangam > Assignee: Naveen Gangam > Priority: Major > Labels: pull-request-available > Time Spent: 1h 50m > Remaining Estimate: 0h > > Hive's LDAP auth configuration is home-baked and a bit specific to hive. This > was by design intending to be as flexible as it can be for accommodating > various LDAP implementations. But this does not necessarily make it easy to > configure hive with such custom values for ldap filtering when most other > components accept generic ldap filters, for example: search bind filters. > There has to be a layer of translation to have it configured. Instead we can > enhance Hive to support generic search bind filters. > To support this, I am proposing adding NEW alternate configurations. > hive.server2.authentication.ldap.userSearchFilter > hive.server2.authentication.ldap.groupSearchFilter > hive.server2.authentication.ldap.groupBaseDN > Search bind filtering will also use EXISTING config param > hive.server2.authentication.ldap.baseDN > This is alternate configuration and will be used first if specified. So users > can continue to use existing configuration as well. These changes should not > interfere with existing configurations. -- This message was sent by Atlassian Jira (v8.20.10#820010)