[
https://issues.apache.org/jira/browse/HIVE-26502?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Naveen Gangam updated HIVE-26502:
---------------------------------
Description:
Currently, Hive's ldap userfiltering is based on configuring a set of patterns
in which wild cards are replaced by usernames and searched for. While this
model supports advanced filtering options where a corporate ldap can have users
in different orgs and trees, it does not quite support generic ldap searches
like this.
(&(uid={0})(objectClass=person))
To be able to support this without making changes to the semantics of existing
configuration params, and to be backward compatible, we can enhance the
existing custom query functionality to support this.
For with a configuration like this, we should be able to perform a search for
user who uid matches the username being authenticated.
{noformat}
<property>
<name>hive.server2.authentication.ldap.baseDN</name>
<value>dc=apache,dc=org</value>
</property>
<property>
<name>hive.server2.authentication.ldap.customLDAPQuery</name>
<value>(&(uid={0})(objectClass=person))</value>
</property>
{noformat}
was:
Currently, Hive's ldap userfiltering is based on configuring a set of patterns
in which wild cards are replaced by usernames and searched for. While this
model supports advanced filtering options where a corporate ldap can have users
in different orgs and trees, it does not quite support generic ldap searches
like this.
(&(uid={0})(objectClass=person))
To be able to support this without making changes to the semantics of existing
configuration params, and to be backward compatible, we can enhance the
existing custom query functionality to support this.
For with a configuration like this, we should be able to perform a search for
user who uid matches the username being authenticated.
<property>
<name>hive.server2.authentication.ldap.baseDN</name>
<value>dc=apache,dc=org</value>
</property>
<property>
<name>hive.server2.authentication.ldap.customLDAPQuery</name>
<value>(&(uid={0})(objectClass=person))</value>
</property>
> Improve LDAP auth to support include generic user filters
> ---------------------------------------------------------
>
> Key: HIVE-26502
> URL: https://issues.apache.org/jira/browse/HIVE-26502
> Project: Hive
> Issue Type: Improvement
> Components: HiveServer2
> Affects Versions: 4.0.0-alpha-1
> Reporter: Naveen Gangam
> Assignee: Naveen Gangam
> Priority: Major
>
> Currently, Hive's ldap userfiltering is based on configuring a set of
> patterns in which wild cards are replaced by usernames and searched for.
> While this model supports advanced filtering options where a corporate ldap
> can have users in different orgs and trees, it does not quite support generic
> ldap searches like this.
> (&(uid={0})(objectClass=person))
> To be able to support this without making changes to the semantics of
> existing configuration params, and to be backward compatible, we can enhance
> the existing custom query functionality to support this.
> For with a configuration like this, we should be able to perform a search for
> user who uid matches the username being authenticated.
> {noformat}
> <property>
> <name>hive.server2.authentication.ldap.baseDN</name>
> <value>dc=apache,dc=org</value>
> </property>
> <property>
> <name>hive.server2.authentication.ldap.customLDAPQuery</name>
> <value>(&(uid={0})(objectClass=person))</value>
> </property>
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
