[
https://issues.apache.org/jira/browse/HADOOP-12291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15267604#comment-15267604
]
Anu Engineer commented on HADOOP-12291:
---------------------------------------
bq. The thought behind leaving the option of using -1 was that some companies
may have a deeply nested structure and do not mind the the cost of the lookups.
I do see the use case, but I am more worried that someone will have a slow
LDAP/AD server and will cause a general slowdown of Namenode.
Also another issue that I see is that with infinite recursion we really have no
control over time out, based on this patch, time out is per query. So in the
infinite recursion scheme the time is number of times you recur multiplied by
time out. At that point {{timeOut}} really has no meaning. As you pointed out,
in the current scheme it is {{2 * timeOut}}. In your new scheme it will be
{{max(Recur Depth, Configured Value) * timeOut}}. But in the infinite scheme,
it is N * timeout where N is dependent on some values in AD.
I am worried that support cost for such a feature would be too high, Also if we
really need it, we know that with your patch it is an easy change to make.
bq. The DIRECTORY_SEARCH_TIMEOUT is a timeout set for each LDAP query.
That works very well since we know the MAX_UPPER bound for the query. So max
time is maxDepth * time out. Would you care to document that with your
settings?
bq. I do not think you can make less LDAP queries.
Thank you, good to know.
I am looking forward to your next patch.
> Add support for nested groups in LdapGroupsMapping
> --------------------------------------------------
>
> Key: HADOOP-12291
> URL: https://issues.apache.org/jira/browse/HADOOP-12291
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 2.8.0
> Reporter: Gautam Gopalakrishnan
> Assignee: Esther Kundin
> Labels: features, patch
> Fix For: 2.8.0
>
> Attachments: HADOOP-12291.001.patch, HADOOP-12291.002.patch
>
>
> When using {{LdapGroupsMapping}} with Hadoop, nested groups are not
> supported. So for example if user {{jdoe}} is part of group A which is a
> member of group B, the group mapping currently returns only group A.
> Currently this facility is available with {{ShellBasedUnixGroupsMapping}} and
> SSSD (or similar tools) but would be good to have this feature as part of
> {{LdapGroupsMapping}} directly.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
