[jira] [Work logged] (HIVE-27311) Improve LDAP auth to support generic search bind authentication

ASF GitHub Bot (Jira) Tue, 09 May 2023 00:59:06 -0700


     [ 
https://issues.apache.org/jira/browse/HIVE-27311?focusedWorklogId=861137&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-861137
 ]


ASF GitHub Bot logged work on HIVE-27311:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 09/May/23 07:58
            Start Date: 09/May/23 07:58
    Worklog Time Spent: 10m 
      Work Description: dengzhhu653 commented on code in PR #4284:
URL: https://github.com/apache/hive/pull/4284#discussion_r1188273010


##########
service/src/java/org/apache/hive/service/auth/ldap/UserGroupSearchFilterFactory.java:
##########
@@ -0,0 +1,105 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hive.service.auth.ldap;
+
+import com.google.common.base.Strings;
+
+import java.util.List;
+import javax.naming.NamingException;
+import javax.security.sasl.AuthenticationException;
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * A factory for a {@link Filter} based on user and group search filters.
+ * <br>
+ * The produced filter object filters out all users that are not found in the 
search result
+ * of the query provided in Hive configuration.
+ * Atleast one search criteria is REQUIRED.
+ * Configuration could have Usersearch filter or Groupsearch filter or both.
+ * @see HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERSEARCHFILTER
+ * @see HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_BASEDN
+ * @see HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPSEARCHFILTER
+ * @see HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPBASEDN
+ */
+public class UserGroupSearchFilterFactory implements FilterFactory {
+
+  /**
+   * {@inheritDoc}
+   */
+  @Override
+  public Filter getInstance(HiveConf conf) {
+    String userSearchFilter = 
conf.get(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERSEARCHFILTER.varname);
+    String userSearchBaseDN = 
conf.get(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_BASEDN.varname);
+    String groupSearchFilter = 
conf.get(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPSEARCHFILTER.varname);
+    String groupSearchBaseDN = 
conf.get(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPBASEDN.varname);
+
+    // Both UserSearch and GroupSearch cannot be null or empty.
+    if (Strings.isNullOrEmpty(userSearchFilter) &&

Review Comment:
   nit: looks like the groupSearchFilter and groupSearchBaseDN can be empty by 
the example





Issue Time Tracking
-------------------

    Worklog Id:     (was: 861137)
    Time Spent: 1h 50m  (was: 1h 40m)

> Improve LDAP auth to support generic search bind authentication
> ---------------------------------------------------------------
>
>                 Key: HIVE-27311
>                 URL: https://issues.apache.org/jira/browse/HIVE-27311
>             Project: Hive
>          Issue Type: Improvement
>          Components: HiveServer2
>    Affects Versions: 4.0.0-alpha-2
>            Reporter: Naveen Gangam
>            Assignee: Naveen Gangam
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 1h 50m
>  Remaining Estimate: 0h
>
> Hive's LDAP auth configuration is home-baked and a bit specific to hive. This 
> was by design intending to be as flexible as it can be for accommodating 
> various LDAP implementations. But this does not necessarily make it easy to 
> configure hive with such custom values for ldap filtering when most other 
> components accept generic ldap filters, for example: search bind filters.
> There has to be a layer of translation to have it configured. Instead we can 
> enhance Hive to support generic search bind filters.
> To support this, I am proposing adding NEW alternate configurations. 
> hive.server2.authentication.ldap.userSearchFilter
> hive.server2.authentication.ldap.groupSearchFilter
> hive.server2.authentication.ldap.groupBaseDN
> Search bind filtering will also use EXISTING config param
> hive.server2.authentication.ldap.baseDN
> This is alternate configuration and will be used first if specified. So users 
> can continue to use existing configuration as well. These changes should not 
> interfere with existing configurations.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Work logged] (HIVE-27311) Improve LDAP auth to support generic search bind authentication

Reply via email to