[
https://issues.apache.org/jira/browse/HIVE-15076?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15812763#comment-15812763
]
Illya Yalovyy commented on HIVE-15076:
--------------------------------------
Than you [~aihuaxu],
Is anything else expected from my side?
> Improve scalability of LDAP authentication provider group filter
> ----------------------------------------------------------------
>
> Key: HIVE-15076
> URL: https://issues.apache.org/jira/browse/HIVE-15076
> Project: Hive
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: 2.1.0
> Reporter: Illya Yalovyy
> Assignee: Illya Yalovyy
> Attachments: HIVE-15076.1.patch, HIVE-15076.2.patch,
> HIVE-15076.3.patch, HIVE-15076.4.patch, HIVE-15076.5.patch
>
>
> Current implementation uses following algorithm:
> # For a given user find all groups that user is a member of. (A list of
> LDAP groups is constructed as a result of that request)
> # Match this list of groups with provided group filter.
>
> Time/Memory complexity of this approach is O(N) on client side, where N – is
> a number of groups the user has membership in. On a large directory (800+
> groups per user) we can observe up to 2x performance degradation and failures
> because of size of LDAP response (LDAP: error code 4 - Sizelimit Exceeded).
>
> Some Directory Services (Microsoft Active Directory for instance) provide a
> virtual attribute for User Object that contains a list of groups that user
> belongs to. This attribute can be used to quickly determine whether this user
> passes or fails the group filter.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
