[jira] [Commented] (HADOOP-12785) [Handling exceptions] LdapGroupsMapping.getGroups() do not provide information about root cause

[Mukhadin Buzdov (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-12785?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15233519#comment-15233519
 ] 

Mukhadin Buzdov commented on HADOOP-12785:
------------------------------------------

[~jojochuang], what relates to the self-signed certificates I didn't have any 
problems with them as soon as I saw details in stack trace.
Please follow e.g. [Hortonworks manual page 
>>|https://docs.hortonworks.com/HDPDocuments/Ambari-2.2.1.1/bk_Ambari_Security_Guide/content/_configure_ambari_to_use_ldap_server.html],
 there are two ways to handle this case:
* Adding _LDAPS Server_'s certificate to _JDK_ keystore - which is less secure, 
since all other _JDK_ applications will also trust this certificate. But it is 
fine in most of the cases.
* Generating your own JKS truststore and set up [related 
properties>>|https://hadoop.apache.org/docs/r2.7.1/hadoop-project-dist/hadoop-common/core-default.xml]
 during configuration, i.e.:
** hadoop.security.group.mapping.ldap.ssl.keystore
** hadoop.security.group.mapping.ldap.ssl.keystore.password.file

This  works for me, so please check it on your side.

> [Handling exceptions] LdapGroupsMapping.getGroups() do not provide 
> information about root cause
> -----------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-12785
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12785
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.7.1
>         Environment: _Operating system_: CentOS Linux 7 
> {color:gray}(7.1.1503){color}
> _Platform_: HDP 2.3.4.0, Ambari 2.1.2
>            Reporter: Mukhadin Buzdov
>            Assignee: Wei-Chiu Chuang
>            Priority: Minor
>              Labels: easyfix
>         Attachments: HADOOP-12785.001.patch
>
>
> _CommunicationException_ and _NamingException_ are not logged in 
> _LdapGroupsMapping.getGroups()_.
> {code:title=LdapGroupsMapping.java|borderStyle=solid}
>   public synchronized List<String> getGroups(String user) throws IOException {
>     List<String> emptyResults = new ArrayList<String>();
>     // ...
>     try {
>       return doGetGroups(user);
>     } catch (CommunicationException e) {
>       LOG.warn("Connection is closed, will try to reconnect");
>     } catch (NamingException e) {
>       LOG.warn("Exception trying to get groups for user " + user + ": " + 
> e.getMessage());
>       return emptyResults;
>     }
>     //...
>     return emptyResults;
>   }
> {code}
> {color:red}It is not possible to understand _LDAP_ level failures.{color}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)