[jira] [Commented] (HIVE-15076) Improve scalability of LDAP authentication provider group filter

Wed, 25 Jan 2017 19:41:11 -0800 

    [ 
https://issues.apache.org/jira/browse/HIVE-15076?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15839129#comment-15839129
 ] 

Shannon Ladymon commented on HIVE-15076:
----------------------------------------

This patch updated *hive.server2.authentication.ldap.groupMembershipKey* and 
added *hive.server2.authentication.ldap.userMembershipKey*. These configuration 
parameters have been added to the wiki:
* [Configuration Properties - 
hive.server2.authentication.ldap.groupMembershipKey | 
https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties#ConfigurationProperties-hive.server2.authentication.ldap.groupMembershipKey]
* [Configuration Properties - 
hive.server2.authentication.ldap.userMembershipKey | 
https://cwiki.apache.org/confluence/display/Hive/Configuration+Properties#ConfigurationProperties-hive.server2.authentication.ldap.userMembershipKey]


> Improve scalability of LDAP authentication provider group filter
> ----------------------------------------------------------------
>
>                 Key: HIVE-15076
>                 URL: https://issues.apache.org/jira/browse/HIVE-15076
>             Project: Hive
>          Issue Type: Improvement
>          Components: Authentication
>    Affects Versions: 2.1.0
>            Reporter: Illya Yalovyy
>            Assignee: Illya Yalovyy
>             Fix For: 2.2.0
>
>         Attachments: HIVE-15076.1.patch, HIVE-15076.2.patch, 
> HIVE-15076.3.patch, HIVE-15076.4.patch, HIVE-15076.5.patch
>
>
> Current implementation uses following algorithm:
> #   For a given user find all groups that user is a member of. (A list of 
> LDAP groups is constructed as a result of that request)
> #  Match this list of groups with provided group filter.
>  
> Time/Memory complexity of this approach is O(N) on client side, where N – is 
> a number of groups the user has membership in. On a large directory (800+ 
> groups per user) we can observe up to 2x performance degradation and failures 
> because of size of LDAP response (LDAP: error code 4 - Sizelimit Exceeded).
>  
> Some Directory Services (Microsoft Active Directory for instance) provide a 
> virtual attribute for User Object that contains a list of groups that user 
> belongs to. This attribute can be used to quickly determine whether this user 
> passes or fails the group filter.   



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to