[
https://issues.apache.org/jira/browse/HIVE-27311?focusedWorklogId=861188&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-861188
]
ASF GitHub Bot logged work on HIVE-27311:
-----------------------------------------
Author: ASF GitHub Bot
Created on: 09/May/23 12:47
Start Date: 09/May/23 12:47
Worklog Time Spent: 10m
Work Description: nrg4878 commented on code in PR #4284:
URL: https://github.com/apache/hive/pull/4284#discussion_r1188544003
##########
service/src/java/org/apache/hive/service/auth/ldap/UserGroupSearchFilterFactory.java:
##########
@@ -0,0 +1,105 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hive.service.auth.ldap;
+
+import com.google.common.base.Strings;
+
+import java.util.List;
+import javax.naming.NamingException;
+import javax.security.sasl.AuthenticationException;
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * A factory for a {@link Filter} based on user and group search filters.
+ * <br>
+ * The produced filter object filters out all users that are not found in the
search result
+ * of the query provided in Hive configuration.
+ * Atleast one search criteria is REQUIRED.
+ * Configuration could have Usersearch filter or Groupsearch filter or both.
+ * @see HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERSEARCHFILTER
+ * @see HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_BASEDN
+ * @see HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPSEARCHFILTER
+ * @see HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPBASEDN
+ */
+public class UserGroupSearchFilterFactory implements FilterFactory {
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public Filter getInstance(HiveConf conf) {
+ String userSearchFilter =
conf.get(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_USERSEARCHFILTER.varname);
+ String userSearchBaseDN =
conf.get(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_BASEDN.varname);
+ String groupSearchFilter =
conf.get(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPSEARCHFILTER.varname);
+ String groupSearchBaseDN =
conf.get(HiveConf.ConfVars.HIVE_SERVER2_PLAIN_LDAP_GROUPBASEDN.varname);
+
+ // Both UserSearch and GroupSearch cannot be null or empty.
+ if (Strings.isNullOrEmpty(userSearchFilter) &&
Review Comment:
yes, the group filter can be empty (so groupBaseDN is not needed either). In
this case, only a user search is performed. Did you want me to change the
something to make this clear?
Issue Time Tracking
-------------------
Worklog Id: (was: 861188)
Time Spent: 2h (was: 1h 50m)
> Improve LDAP auth to support generic search bind authentication
> ---------------------------------------------------------------
>
> Key: HIVE-27311
> URL: https://issues.apache.org/jira/browse/HIVE-27311
> Project: Hive
> Issue Type: Improvement
> Components: HiveServer2
> Affects Versions: 4.0.0-alpha-2
> Reporter: Naveen Gangam
> Assignee: Naveen Gangam
> Priority: Major
> Labels: pull-request-available
> Time Spent: 2h
> Remaining Estimate: 0h
>
> Hive's LDAP auth configuration is home-baked and a bit specific to hive. This
> was by design intending to be as flexible as it can be for accommodating
> various LDAP implementations. But this does not necessarily make it easy to
> configure hive with such custom values for ldap filtering when most other
> components accept generic ldap filters, for example: search bind filters.
> There has to be a layer of translation to have it configured. Instead we can
> enhance Hive to support generic search bind filters.
> To support this, I am proposing adding NEW alternate configurations.
> hive.server2.authentication.ldap.userSearchFilter
> hive.server2.authentication.ldap.groupSearchFilter
> hive.server2.authentication.ldap.groupBaseDN
> Search bind filtering will also use EXISTING config param
> hive.server2.authentication.ldap.baseDN
> This is alternate configuration and will be used first if specified. So users
> can continue to use existing configuration as well. These changes should not
> interfere with existing configurations.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
