[
https://issues.apache.org/jira/browse/HADOOP-12782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15149803#comment-15149803
]
Kai Zheng commented on HADOOP-12782:
------------------------------------
The optimization looks good and makes sense to me. Thanks!
Some comments:
1. Does the optimization only work for ActiveDirectory, or is there any similar
attribute to {{memberOf}} for other LDAP providers?
2. May be not good to use {{Faster}}, {{ldapFastLookup}} because some time
later some even faster approaches might be found out. Suggest changing
{{hadoop.security.group.mapping.ldap.search.filter.group=ldapFastLookup}} to
{{hadoop.security.group.mapping.ldap.search.attr.memberof}} similar to the
existing one {{hadoop.security.group.mapping.ldap.search.attr.member}}. The
logic is, if it's set, then the attribute value will be used as proposed. This
way, if other LDAP solutions other than MS AD has similar attribute to employ,
then the attribute name can be set to the item and the optimized way still
works.
> Faster LDAP group name resolution with ActiveDirectory
> ------------------------------------------------------
>
> Key: HADOOP-12782
> URL: https://issues.apache.org/jira/browse/HADOOP-12782
> Project: Hadoop Common
> Issue Type: Improvement
> Reporter: Wei-Chiu Chuang
> Assignee: Wei-Chiu Chuang
> Attachments: HADOOP-12782.001.patch, HADOOP-12782.002.patch
>
>
> The typical LDAP group name resolution works well under typical scenarios.
> However, we have seen cases where a user is mapped to many groups (in an
> extreme case, a user is mapped to more than 100 groups). The way it's being
> implemented now makes this case super slow resolving groups from
> ActiveDirectory.
> The current LDAP group resolution implementation sends two queries to a
> ActiveDirectory server. The first query returns a user object, which contains
> DN (distinguished name). The second query looks for groups where the user DN
> is a member. If a user is mapped to many groups, the second query returns all
> group objects associated with the user, and is thus very slow.
> After studying a user object in ActiveDirectory, I found a user object
> actually contains a "memberOf" field, which is the DN of all group objects
> where the user belongs to. Assuming that an organization has no recursive
> group relation (that is, a user A is a member of group G1, and group G1 is a
> member of group G2), we can use this properties to avoid the second query,
> which can potentially run very slow.
> I propose that we add a configuration to only enable this feature for users
> who want to reduce group resolution time and who does not have recursive
> groups, so that existing behavior will not be broken.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
