[
https://issues.apache.org/jira/browse/HADOOP-18074?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17558804#comment-17558804
]
Larry McCay commented on HADOOP-18074:
--------------------------------------
There appears to be a couple problems in this code actually.
I am thinking that we just surgically address the original intent which was for
a NamingException while processing the memberOf list to result in a secondary
query rather than a partial list.
I'll try and add test coverage for the fallback which is currently missing even
though there is clear intent in the code based on comments.
There are other possible issues here that will require further investigation:
* it seems that retries will attempt and process the memberOf list each time
which will never be different
* perhaps there are filtering opportunities based on object type or the like
before the attempting to acquiring the RDN for a DN that would be able to
distinguish between actual group names and invalid DNs
> Partial/Incomplete groups list can be returned in LDAP groups lookup
> --------------------------------------------------------------------
>
> Key: HADOOP-18074
> URL: https://issues.apache.org/jira/browse/HADOOP-18074
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Philippe Lanoe
> Assignee: Larry McCay
> Priority: Major
>
> Hello,
> The
> {code:java}
> Set<String> doGetGroups(String user, int goUpHierarchy) {code}
> method in
> [https://github.com/apache/hadoop/blob/b27732c69b114f24358992a5a4d170bc94e2ceaf/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java#L476]
> Looks like having an issue if in the middle of the loop a *NamingException*
> is caught:
> The groups variable is not reset in the catch clause and therefore the
> fallback lookup cannot be executed (when goUpHierarchy==0 at least):
> ||
> {code:java}
> if (groups.isEmpty() || goUpHierarchy > 0) {
> groups = lookupGroup(result, c, goUpHierarchy);
> }
> {code}
>
> Consequence is that only a partial list of groups is returned, which is not
> correct.
> Following options could be used as solution:
> * Reset the group to an empty list in the catch clause, to trigger the
> fallback query.
> * Add an option flag to enable ignoring groups with Naming Exception (since
> they are not groups most probably)
> Independently, would any issue also occur (and therefore full list cannot be
> returned) in the first lookup as well as in the fallback query, the method
> should/could(with option flag) throw an Exception, because in some scenario
> accuracy is important.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
