[jira] [Work logged] (HADOOP-18074) Partial/Incomplete groups list can be returned in LDAP groups lookup

Mon, 11 Jul 2022 13:35:08 -0700 


     [ 
https://issues.apache.org/jira/browse/HADOOP-18074?focusedWorklogId=789733&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-789733
 ]

ASF GitHub Bot logged work on HADOOP-18074:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 11/Jul/22 20:34
            Start Date: 11/Jul/22 20:34
    Worklog Time Spent: 10m 
      Work Description: lmccay commented on PR #4550:
URL: https://github.com/apache/hadoop/pull/4550#issuecomment-1180842595

   +1 provided by @steveloughran via https://github.com/apache/hadoop/pull/4503 
- waiting on yetus greenlight here...




Issue Time Tracking
-------------------

    Worklog Id:     (was: 789733)
    Time Spent: 1h 40m  (was: 1.5h)

> Partial/Incomplete groups list can be returned in LDAP groups lookup
> --------------------------------------------------------------------
>
>                 Key: HADOOP-18074
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18074
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>            Reporter: Philippe Lanoe
>            Assignee: Larry McCay
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 1h 40m
>  Remaining Estimate: 0h
>
> Hello,
> The  
> {code:java}
> Set<String> doGetGroups(String user, int goUpHierarchy) {code}
> method in
> [https://github.com/apache/hadoop/blob/b27732c69b114f24358992a5a4d170bc94e2ceaf/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java#L476]
> Looks like having an issue if in the middle of the loop a *NamingException* 
> is caught:
> The groups variable is not reset in the catch clause and therefore the 
> fallback lookup cannot be executed (when goUpHierarchy==0 at least):
> ||
> {code:java}
> if (groups.isEmpty() || goUpHierarchy > 0) {        
>     groups = lookupGroup(result, c, goUpHierarchy);
> }
> {code}
>  
> Consequence is that only a partial list of groups is returned, which is not 
> correct.
> Following options could be used as solution:
>  * Reset the group to an empty list in the catch clause, to trigger the 
> fallback query.
>  * Add an option flag to enable ignoring groups with Naming Exception (since 
> they are not groups most probably)
> Independently, would any issue also occur (and therefore full list cannot be 
> returned) in the first lookup as well as in the fallback query, the method 
> should/could(with option flag) throw an Exception, because in some scenario 
> accuracy is important.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to