[
https://issues.apache.org/jira/browse/HADOOP-18074?focusedWorklogId=785016&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-785016
]
ASF GitHub Bot logged work on HADOOP-18074:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 27/Jun/22 10:01
Start Date: 27/Jun/22 10:01
Worklog Time Spent: 10m
Work Description: steveloughran commented on PR #4503:
URL: https://github.com/apache/hadoop/pull/4503#issuecomment-1167148712
production code looks good, commented on the tests with my main concern
being "mockito test maintenance is painful, so we should help whoever has to do
it as much as we can"
+1 pending those changes for merging into trunk/branch-3.3, to see if any
surprises happen this week. i will merge it in to the 3.3.4 release next week
Issue Time Tracking
-------------------
Worklog Id: (was: 785016)
Time Spent: 40m (was: 0.5h)
> Partial/Incomplete groups list can be returned in LDAP groups lookup
> --------------------------------------------------------------------
>
> Key: HADOOP-18074
> URL: https://issues.apache.org/jira/browse/HADOOP-18074
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Philippe Lanoe
> Assignee: Larry McCay
> Priority: Major
> Labels: pull-request-available
> Time Spent: 40m
> Remaining Estimate: 0h
>
> Hello,
> The
> {code:java}
> Set<String> doGetGroups(String user, int goUpHierarchy) {code}
> method in
> [https://github.com/apache/hadoop/blob/b27732c69b114f24358992a5a4d170bc94e2ceaf/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java#L476]
> Looks like having an issue if in the middle of the loop a *NamingException*
> is caught:
> The groups variable is not reset in the catch clause and therefore the
> fallback lookup cannot be executed (when goUpHierarchy==0 at least):
> ||
> {code:java}
> if (groups.isEmpty() || goUpHierarchy > 0) {
> groups = lookupGroup(result, c, goUpHierarchy);
> }
> {code}
>
> Consequence is that only a partial list of groups is returned, which is not
> correct.
> Following options could be used as solution:
> * Reset the group to an empty list in the catch clause, to trigger the
> fallback query.
> * Add an option flag to enable ignoring groups with Naming Exception (since
> they are not groups most probably)
> Independently, would any issue also occur (and therefore full list cannot be
> returned) in the first lookup as well as in the fallback query, the method
> should/could(with option flag) throw an Exception, because in some scenario
> accuracy is important.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
