[
https://issues.apache.org/jira/browse/KNOX-644?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15415494#comment-15415494
]
Kevin Risden commented on KNOX-644:
-----------------------------------
[~lmccay] - I like the KIP looks like a good approach. I need to subscribe to
the knox-dev/knox-user mailing lists still to comment on the thread you started
for it.
Currently for other Hadoop services, the clusters have been configured with the
default Hadoop group mapping and not to use LDAP directly. This is because the
cluster nodes have been configured to get groups from LDAP (via
SSSD/Centrify/etc).
Even if the Hadoop Groups Mapping solves the issue, it would be great for the
group lookup code amongst Hadoop projects to be similar (Ranger, Ambari, Knox,
etc). Each of them do group lookup slightly differently and causes annoyances.
Ranger and Ambari do basically the same type of group lookup and don't use the
Hadoop Group Mapping.
> Limit/page results of LDAP group membership search
> ---------------------------------------------------
>
> Key: KNOX-644
> URL: https://issues.apache.org/jira/browse/KNOX-644
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.6.0
> Reporter: Kevin Minder
> Priority: Critical
> Fix For: 0.10.0
>
> Attachments: KNOX-644-paging.patch, KNOX-644.patch, ad_setup.ps1,
> create_groups_ldif.py, paging.patch
>
>
> Some users are finding that they have >1000 groups that would be returned
> given how Knox currently implements group lookup. ActiveDirectory currently
> limits search results to 1000 items and this causes failures that require
> workarounds at the client side. Ideally Knox's LDAP group search
> implementation would either limit/filter the results or page the result set
> that are unavoidably large.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
