[jira] [Updated] (HIVE-13295) Improvement to LDAP search queries in HS2 LDAP Authenticator
[ https://issues.apache.org/jira/browse/HIVE-13295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Chaoyu Tang updated HIVE-13295: --- Resolution: Fixed Fix Version/s: 2.1.0 Status: Resolved (was: Patch Available) Committed to 2.1.0. Thanks [~ngangam] for the patch. I think you may need to document the new LDAP configuration properties in wiki. > Improvement to LDAP search queries in HS2 LDAP Authenticator > > > Key: HIVE-13295 > URL: https://issues.apache.org/jira/browse/HIVE-13295 > Project: Hive > Issue Type: Improvement > Components: HiveServer2 >Affects Versions: 1.3.0 >Reporter: Naveen Gangam >Assignee: Naveen Gangam > Fix For: 2.1.0 > > Attachments: HIVE-13295.1.patch, HIVE-13295.2.patch > > > As more usecases, for various LDAP flavors and deployments, emerge, Hive's > LDAP authentication provider needs additional configuration properties to > make it more flexible to work with different LDAP deployments. > For example: > 1) Not every LDAP server supports a "memberOf" property on user entries that > refer to the groups the user belongs to. This attribute is used for group > filter support. So instead of relying on this attribute to be set, we can > reverse the search and find all the groups that have an attribute, that > refers to its members, set. For example "member" or "memberUid" etc. > Since this atttribute name differs from ldap to ldap, its best we make this > configurable, with a default value of "member" > 2) In HIVE-12885, a new property was introduced to make the attribute for an > user/group search key user-configurable instead of assuming its "uid" (when > baseDN is set) or "cn" (otherwise). This change was deferred from the initial > patch. > 3) LDAP Groups can have various ObjectClass'es. For example objectClass=group > or objectClass=groupOfNames or objectClass=posixGroup or > objectClass=groupOfUniqueNames etc. There could be other we dont know of. > So we need a property to make this user-configurable with a certain default. > 4) There is also a bug where the lists for groupFilter and userFilter are not > re-initialized each time init() is called. > These lists are only re-initialized if the new HiveConf has userFilter or > groupFilter set values. Otherwise, the provider will use values from previous > initialization. > I found this bug when writing some new tests. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HIVE-13295) Improvement to LDAP search queries in HS2 LDAP Authenticator
[ https://issues.apache.org/jira/browse/HIVE-13295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Naveen Gangam updated HIVE-13295: - Attachment: HIVE-13295.2.patch In-corporating feedback from review. > Improvement to LDAP search queries in HS2 LDAP Authenticator > > > Key: HIVE-13295 > URL: https://issues.apache.org/jira/browse/HIVE-13295 > Project: Hive > Issue Type: Improvement > Components: HiveServer2 >Affects Versions: 1.3.0 >Reporter: Naveen Gangam >Assignee: Naveen Gangam > Attachments: HIVE-13295.1.patch, HIVE-13295.2.patch > > > As more usecases, for various LDAP flavors and deployments, emerge, Hive's > LDAP authentication provider needs additional configuration properties to > make it more flexible to work with different LDAP deployments. > For example: > 1) Not every LDAP server supports a "memberOf" property on user entries that > refer to the groups the user belongs to. This attribute is used for group > filter support. So instead of relying on this attribute to be set, we can > reverse the search and find all the groups that have an attribute, that > refers to its members, set. For example "member" or "memberUid" etc. > Since this atttribute name differs from ldap to ldap, its best we make this > configurable, with a default value of "member" > 2) In HIVE-12885, a new property was introduced to make the attribute for an > user/group search key user-configurable instead of assuming its "uid" (when > baseDN is set) or "cn" (otherwise). This change was deferred from the initial > patch. > 3) LDAP Groups can have various ObjectClass'es. For example objectClass=group > or objectClass=groupOfNames or objectClass=posixGroup or > objectClass=groupOfUniqueNames etc. There could be other we dont know of. > So we need a property to make this user-configurable with a certain default. > 4) There is also a bug where the lists for groupFilter and userFilter are not > re-initialized each time init() is called. > These lists are only re-initialized if the new HiveConf has userFilter or > groupFilter set values. Otherwise, the provider will use values from previous > initialization. > I found this bug when writing some new tests. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HIVE-13295) Improvement to LDAP search queries in HS2 LDAP Authenticator
[ https://issues.apache.org/jira/browse/HIVE-13295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Naveen Gangam updated HIVE-13295: - Status: Patch Available (was: Open) > Improvement to LDAP search queries in HS2 LDAP Authenticator > > > Key: HIVE-13295 > URL: https://issues.apache.org/jira/browse/HIVE-13295 > Project: Hive > Issue Type: Improvement > Components: HiveServer2 >Affects Versions: 1.3.0 >Reporter: Naveen Gangam >Assignee: Naveen Gangam > Attachments: HIVE-13295.1.patch, HIVE-13295.2.patch > > > As more usecases, for various LDAP flavors and deployments, emerge, Hive's > LDAP authentication provider needs additional configuration properties to > make it more flexible to work with different LDAP deployments. > For example: > 1) Not every LDAP server supports a "memberOf" property on user entries that > refer to the groups the user belongs to. This attribute is used for group > filter support. So instead of relying on this attribute to be set, we can > reverse the search and find all the groups that have an attribute, that > refers to its members, set. For example "member" or "memberUid" etc. > Since this atttribute name differs from ldap to ldap, its best we make this > configurable, with a default value of "member" > 2) In HIVE-12885, a new property was introduced to make the attribute for an > user/group search key user-configurable instead of assuming its "uid" (when > baseDN is set) or "cn" (otherwise). This change was deferred from the initial > patch. > 3) LDAP Groups can have various ObjectClass'es. For example objectClass=group > or objectClass=groupOfNames or objectClass=posixGroup or > objectClass=groupOfUniqueNames etc. There could be other we dont know of. > So we need a property to make this user-configurable with a certain default. > 4) There is also a bug where the lists for groupFilter and userFilter are not > re-initialized each time init() is called. > These lists are only re-initialized if the new HiveConf has userFilter or > groupFilter set values. Otherwise, the provider will use values from previous > initialization. > I found this bug when writing some new tests. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HIVE-13295) Improvement to LDAP search queries in HS2 LDAP Authenticator
[ https://issues.apache.org/jira/browse/HIVE-13295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Naveen Gangam updated HIVE-13295: - Status: Open (was: Patch Available) > Improvement to LDAP search queries in HS2 LDAP Authenticator > > > Key: HIVE-13295 > URL: https://issues.apache.org/jira/browse/HIVE-13295 > Project: Hive > Issue Type: Improvement > Components: HiveServer2 >Affects Versions: 1.3.0 >Reporter: Naveen Gangam >Assignee: Naveen Gangam > Attachments: HIVE-13295.1.patch > > > As more usecases, for various LDAP flavors and deployments, emerge, Hive's > LDAP authentication provider needs additional configuration properties to > make it more flexible to work with different LDAP deployments. > For example: > 1) Not every LDAP server supports a "memberOf" property on user entries that > refer to the groups the user belongs to. This attribute is used for group > filter support. So instead of relying on this attribute to be set, we can > reverse the search and find all the groups that have an attribute, that > refers to its members, set. For example "member" or "memberUid" etc. > Since this atttribute name differs from ldap to ldap, its best we make this > configurable, with a default value of "member" > 2) In HIVE-12885, a new property was introduced to make the attribute for an > user/group search key user-configurable instead of assuming its "uid" (when > baseDN is set) or "cn" (otherwise). This change was deferred from the initial > patch. > 3) LDAP Groups can have various ObjectClass'es. For example objectClass=group > or objectClass=groupOfNames or objectClass=posixGroup or > objectClass=groupOfUniqueNames etc. There could be other we dont know of. > So we need a property to make this user-configurable with a certain default. > 4) There is also a bug where the lists for groupFilter and userFilter are not > re-initialized each time init() is called. > These lists are only re-initialized if the new HiveConf has userFilter or > groupFilter set values. Otherwise, the provider will use values from previous > initialization. > I found this bug when writing some new tests. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HIVE-13295) Improvement to LDAP search queries in HS2 LDAP Authenticator
[ https://issues.apache.org/jira/browse/HIVE-13295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Naveen Gangam updated HIVE-13295: - Status: Patch Available (was: Open) > Improvement to LDAP search queries in HS2 LDAP Authenticator > > > Key: HIVE-13295 > URL: https://issues.apache.org/jira/browse/HIVE-13295 > Project: Hive > Issue Type: Improvement > Components: HiveServer2 >Affects Versions: 1.3.0 >Reporter: Naveen Gangam >Assignee: Naveen Gangam > Attachments: HIVE-13295.1.patch > > > As more usecases, for various LDAP flavors and deployments, emerge, Hive's > LDAP authentication provider needs additional configuration properties to > make it more flexible to work with different LDAP deployments. > For example: > 1) Not every LDAP server supports a "memberOf" property on user entries that > refer to the groups the user belongs to. This attribute is used for group > filter support. So instead of relying on this attribute to be set, we can > reverse the search and find all the groups that have an attribute, that > refers to its members, set. For example "member" or "memberUid" etc. > Since this atttribute name differs from ldap to ldap, its best we make this > configurable, with a default value of "member" > 2) In HIVE-12885, a new property was introduced to make the attribute for an > user/group search key user-configurable instead of assuming its "uid" (when > baseDN is set) or "cn" (otherwise). This change was deferred from the initial > patch. > 3) LDAP Groups can have various ObjectClass'es. For example objectClass=group > or objectClass=groupOfNames or objectClass=posixGroup or > objectClass=groupOfUniqueNames etc. There could be other we dont know of. > So we need a property to make this user-configurable with a certain default. > 4) There is also a bug where the lists for groupFilter and userFilter are not > re-initialized each time init() is called. > These lists are only re-initialized if the new HiveConf has userFilter or > groupFilter set values. Otherwise, the provider will use values from previous > initialization. > I found this bug when writing some new tests. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HIVE-13295) Improvement to LDAP search queries in HS2 LDAP Authenticator
[ https://issues.apache.org/jira/browse/HIVE-13295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Naveen Gangam updated HIVE-13295: - Attachment: HIVE-13295.1.patch > Improvement to LDAP search queries in HS2 LDAP Authenticator > > > Key: HIVE-13295 > URL: https://issues.apache.org/jira/browse/HIVE-13295 > Project: Hive > Issue Type: Improvement > Components: HiveServer2 >Affects Versions: 1.3.0 >Reporter: Naveen Gangam >Assignee: Naveen Gangam > Attachments: HIVE-13295.1.patch > > > As more usecases, for various LDAP flavors and deployments, emerge, Hive's > LDAP authentication provider needs additional configuration properties to > make it more flexible to work with different LDAP deployments. > For example: > 1) Not every LDAP server supports a "memberOf" property on user entries that > refer to the groups the user belongs to. This attribute is used for group > filter support. So instead of relying on this attribute to be set, we can > reverse the search and find all the groups that have an attribute, that > refers to its members, set. For example "member" or "memberUid" etc. > Since this atttribute name differs from ldap to ldap, its best we make this > configurable, with a default value of "member" > 2) In HIVE-12885, a new property was introduced to make the attribute for an > user/group search key user-configurable instead of assuming its "uid" (when > baseDN is set) or "cn" (otherwise). This change was deferred from the initial > patch. > 3) LDAP Groups can have various ObjectClass'es. For example objectClass=group > or objectClass=groupOfNames or objectClass=posixGroup or > objectClass=groupOfUniqueNames etc. There could be other we dont know of. > So we need a property to make this user-configurable with a certain default. > 4) There is also a bug where the lists for groupFilter and userFilter are not > re-initialized each time init() is called. > These lists are only re-initialized if the new HiveConf has userFilter or > groupFilter set values. Otherwise, the provider will use values from previous > initialization. > I found this bug when writing some new tests. -- This message was sent by Atlassian JIRA (v6.3.4#6332)