[
https://issues.apache.org/jira/browse/HIVE-27311?focusedWorklogId=860434&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-860434
]
ASF GitHub Bot logged work on HIVE-27311:
-----------------------------------------
Author: ASF GitHub Bot
Created on: 03/May/23 19:41
Start Date: 03/May/23 19:41
Worklog Time Spent: 10m
Work Description: nrg4878 commented on code in PR #4284:
URL: https://github.com/apache/hive/pull/4284#discussion_r1184180338
##########
service/src/java/org/apache/hive/service/auth/ldap/DirSearch.java:
##########
@@ -34,6 +34,16 @@ public interface DirSearch extends Closeable {
*/
String findUserDn(String user) throws NamingException;
+ /**
+ * Finds user's distinguished name.
+ * @param user username
+ * @param userSearchFilter Generic LDAP Search filter for ex:
(&(uid={0})(objectClass=person))
+ * @param baseDn LDAP BaseDN for user searches for ex: dc=apache,dc=org
+ * @return DN for the specific user if exists, null otherwise
+ * @throws NamingException
+ */
+ String findUserDnBySearch(String user, String userSearchFilter, String
baseDn) throws NamingException;
Review Comment:
yeah, this entire code was replicated for supporting ldap auth for HMS. I
think it would make sense to make changes to the HMS provider as well. I wasnt
sure how to test it manually though. Will give it a try otherwise may have to
fork the work for another jira.
It is possible to lump them both into single method. I kept them separate
for a couple reasons. findUserDn() and findUserDnBySearch() use different
criteria/configuration to find the userDN from a given username. This requires
a change to the interface method though, which I wasn't very fond of. This also
kept the methods separate based on the factory that was calling it. Less
intersection with existing code. As this is an alternate configuration for LDAP.
if you feel strongly about merging them, I can give it a shot.
Issue Time Tracking
-------------------
Worklog Id: (was: 860434)
Time Spent: 50m (was: 40m)
> Improve LDAP auth to support generic search bind authentication
> ---------------------------------------------------------------
>
> Key: HIVE-27311
> URL: https://issues.apache.org/jira/browse/HIVE-27311
> Project: Hive
> Issue Type: Improvement
> Components: HiveServer2
> Affects Versions: 4.0.0-alpha-2
> Reporter: Naveen Gangam
> Assignee: Naveen Gangam
> Priority: Major
> Labels: pull-request-available
> Time Spent: 50m
> Remaining Estimate: 0h
>
> Hive's LDAP auth configuration is home-baked and a bit specific to hive. This
> was by design intending to be as flexible as it can be for accommodating
> various LDAP implementations. But this does not necessarily make it easy to
> configure hive with such custom values for ldap filtering when most other
> components accept generic ldap filters, for example: search bind filters.
> There has to be a layer of translation to have it configured. Instead we can
> enhance Hive to support generic search bind filters.
> To support this, I am proposing adding NEW alternate configurations.
> hive.server2.authentication.ldap.userSearchFilter
> hive.server2.authentication.ldap.groupSearchFilter
> hive.server2.authentication.ldap.groupBaseDN
> Search bind filtering will also use EXISTING config param
> hive.server2.authentication.ldap.baseDN
> This is alternate configuration and will be used first if specified. So users
> can continue to use existing configuration as well. These changes should not
> interfere with existing configurations.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
