[
https://issues.apache.org/jira/browse/HBASE-10919?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13961364#comment-13961364
]
Andrew Purtell commented on HBASE-10919:
----------------------------------------
We could start by doing something similar to Hadoop's LDAP group mapper (see
org.apache.hadoop.security.LdapGroupsMapping). It would be familiar to admins
who may have set that up before already.
You configure this provider with a user and password used to bind to the LDAP
server, and the location of the LDAP server. Then, the base distinguished name
to use for searches, and a filter expression to apply when searching for user
objects, e.g.
{noformat}
(&(objectClass=user)(cn={0}))
{noformat}
We would then need to add new configuration for filtering out the object
attributes we are not interested in. Any attributes remaining could become
auths.
Because the SLGs run inside the RegionServer processes with superuser
privileges, it would be possible for them to add new labels to the system label
dictionary dynamically as needed. Therefore the universe of labels/auth names
would not need to be defined up front for new attributes found on relevant
objects returned from LDAP searches.
Because this SLG would otherwise want to query LDAP for every user request, we
would want to introduce caching of LDAP query responses with a limited
lifetime, perhaps 5 or 10 minutes, and reuse the results of previous searches
until they expire.
> [VisibilityController] ScanLabelGenerator using LDAP
> ----------------------------------------------------
>
> Key: HBASE-10919
> URL: https://issues.apache.org/jira/browse/HBASE-10919
> Project: HBase
> Issue Type: Sub-task
> Reporter: Andrew Purtell
> Fix For: 0.99.0, 0.98.2
>
>
> A ScanLabelGenerator that queries an external service, using the LDAP
> protocol, for a set of attributes corresponding to the principal represented
> by the request UGI, and converts any returned in the response to additional
> auths in the effective set.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
