----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/40019/#review106254 -----------------------------------------------------------
Ship it! Ship It! - Robert Nettleton On Nov. 11, 2015, 5:48 p.m., Oliver Szabo wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/40019/ > ----------------------------------------------------------- > > (Updated Nov. 11, 2015, 5:48 p.m.) > > > Review request for Ambari, Dmytro Sen, Robert Levas, Robert Nettleton, and > Sumit Mohanty. > > > Bugs: AMBARI-13767 > https://issues.apache.org/jira/browse/AMBARI-13767 > > > Repository: ambari > > > Description > ------- > > Group Membership not pulled in with FreeIPA/RHELIDM > > In FreeIPA/RHEL (389 DS for the directory server implementation) the DN is > not an attribute on the user, and cannot be used in a filter like this: > > (&(objectClass=posixaccount)(|(dn=uid=dstreev,cn=users,cn=accounts,dc=hdp,dc=local)(uid=uid=dstreev,cn=users,cn=accounts,dc=hdp,dc=local))) > > > Notes: > - MemberAttributes can be used to query/filter on the groups/users. E.g.: in > openldap the member attributes are names, like: hive,hadoop etc. -> there we > can use the actual solution. In another providers, like freeIPA the member > attributes looks like: uid=hive,cn=..., that means these attributes can be > used in queries as the baseDN (so dn part is not needed in the filter), than > the query wont fail. > > - there is no group-group relation in ambari. for nested groups: currently > we don't see the user members in the upper groups. I could flatten the users > to the upper groups during the sync, but it is not the right way to do it, > because in case of we delete a user from the subgroup and we syncing only on > the subgroup, the users are not deleted from the upper groups. (we can do > that, but then we sync all of the groups..) > -> the right way should be if we would see the subgroups in the upper groups > (for that, we need the group-group relationship in the future) > > > Diffs > ----- > > > ambari-server/src/main/java/org/apache/ambari/server/security/ldap/AmbariLdapDataPopulator.java > 103cfcb > > ambari-server/src/test/java/org/apache/ambari/server/security/ldap/AmbariLdapDataPopulatorTest.java > 3f4f7b5 > > Diff: https://reviews.apache.org/r/40019/diff/ > > > Testing > ------- > > Unit tests done. > > Functional testing: > - works as expected with different ldap providers > - nested group case: groupA has a groupB member, groupB has 2 users. Group > csv file only contains groupA, then groupA and groupB were processed and 2 > memberships were created. > > > Thanks, > > Oliver Szabo > >
