[
https://issues.apache.org/jira/browse/KNOX-461?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15987004#comment-15987004
]
Ryan LaMothe commented on KNOX-461:
-----------------------------------
Currently, KNOX is the only Hadoop component that we use which does not support
Active Directory virtual attribute reverse lookups, which is forcing us to
create complex work-arounds to try and use KNOX in our environment. In our
case, we have hundreds of thousands of groups (e.g. RBAC) in Active Directory,
so all of our enterprise software and tooling looks up Users first, then
searches the User's 'memberOf' list and performs a reverse lookup of Groups.
This works well because each User is typically only a 'memberOf' a few tens or
hundreds of groups. It is also an extremely fast lookup, compared to group
lookups, which is a primary reason Microsoft implemented the feature. By having
KNOX perform group lookups first, then searching each group's 'member' list for
Users, KNOX fails to scale or perform and this feature needs to be implemented
ASAP in KNOX.
> Leverage Directory Computed Attribute for User Group Discovery
> ---------------------------------------------------------------
>
> Key: KNOX-461
> URL: https://issues.apache.org/jira/browse/KNOX-461
> Project: Apache Knox
> Issue Type: Improvement
> Reporter: Dilli Arumugam
> Priority: Critical
> Fix For: Future
>
>
> Leverage Directory Computed Attribute for User Group Discovery
> We should use computed attribute memberof supported by Active Driectory to
> discover groups of the authenticated user. This would significantly boost
> performance as compared we computing groups using group search.
> OpenLDAP also could be configured to return computed groups.
> However, OpenLDAP would return this attribute as memberof.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
