[jira] [Commented] (HADOOP-18388) Allow dynamic groupSearchFilter in LdapGroupsMapping

Tue, 23 Aug 2022 04:56:05 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-18388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17583540#comment-17583540
 ] 

Ayush Saxena commented on HADOOP-18388:
---------------------------------------

Thanx [~lmccay] , As discussed sharing the details here.

Have been discussing the issue with [~lbiro] , the typical use case surfaces 
due to some Ranger integration, [~lbiro] can share more details here.

I drafted a patch, it is a very raw code just to show what I am thinking, not 
sure if there is a better way to do or whether we can do it or not, will 
require some pointers here.

The idea is basically,

Get the group search filter parameters from the attributes in csv format, say 
we get userDn, userName as the value.

Then in the group search filter replace the \{0}, \{1} with userDn & userName, 
as in the order specified in the group search filter. We get the entries 
specified in the filter params like username and all also from the attributes. 

> Allow dynamic groupSearchFilter in LdapGroupsMapping
> ----------------------------------------------------
>
>                 Key: HADOOP-18388
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18388
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Ayush Saxena
>            Priority: Major
>         Attachments: dynamic-filter-idea.patch
>
>
> As of now the lookupGroup() method doesn't allow to have placeholders in 
> groupSearchFilter, so that can not be dynamically adjusted.
> If we have placeholders for groupSearchFilter like: 
> (&(|(XYZ=\{0})(ABC=\{1}))(objectClass=posixGroup))
> This fails here:
>  
> {code:java}
> groupResults =
>     c.search(groupbaseDN,
>         "(&" + groupSearchFilter + "(" + groupMemberAttr + "={0}))",
>         new Object[]{userDn},
>         SEARCH_CONTROLS); {code}
> With 
>  
>  
> {noformat}
> javax.naming.directory.InvalidSearchFilterException: number exceeds argument 
> list: 1; remaining name {noformat}
>  
> >>Dropped off or changed the details above which I thought won't be safe to 
> >>disclose.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to