[jira] [Comment Edited] (HADOOP-16705) MBeanInfoBuilder puts unnecessary memory pressure on the system with a debug log

[Lukas Majercak (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-16705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16973502#comment-16973502
 ] 

Lukas Majercak edited comment on HADOOP-16705 at 11/13/19 4:34 PM:
---

Build failed because it used the .jpg file (n)


was (Author: lukmajercak):
Build failed because it used the .jpg file -_- 

> MBeanInfoBuilder puts unnecessary memory pressure on the system with a debug 
> log
> 
>
> Key: HADOOP-16705
> URL: https://issues.apache.org/jira/browse/HADOOP-16705
> Project: Hadoop Common
>  Issue Type: Improvement
>  Components: metrics
>Affects Versions: 2.9.2
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: mbeaninfobuilder.JPG
>
>
> MBeanInfoBuilder's get() method DEBUG logs all the MBeanAttributeInfo 
> attributes that it gathered. This can have a high memory churn that can be 
> easily avoided. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-16705) MBeanInfoBuilder puts unnecessary memory pressure on the system with a debug log

[Lukas Majercak (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-16705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16973502#comment-16973502
 ] 

Lukas Majercak commented on HADOOP-16705:
-

Build failed because it used the .jpg file -_- 

> MBeanInfoBuilder puts unnecessary memory pressure on the system with a debug 
> log
> 
>
> Key: HADOOP-16705
> URL: https://issues.apache.org/jira/browse/HADOOP-16705
> Project: Hadoop Common
>  Issue Type: Improvement
>  Components: metrics
>Affects Versions: 2.9.2
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: mbeaninfobuilder.JPG
>
>
> MBeanInfoBuilder's get() method DEBUG logs all the MBeanAttributeInfo 
> attributes that it gathered. This can have a high memory churn that can be 
> easily avoided. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Work started] (HADOOP-16705) MBeanInfoBuilder puts unnecessary memory pressure on the system with a debug log

[Lukas Majercak (Jira)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-16705?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Work on HADOOP-16705 started by Lukas Majercak.
---
> MBeanInfoBuilder puts unnecessary memory pressure on the system with a debug 
> log
> 
>
> Key: HADOOP-16705
> URL: https://issues.apache.org/jira/browse/HADOOP-16705
> Project: Hadoop Common
>  Issue Type: Improvement
>  Components: metrics
>Affects Versions: 2.9.2
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: mbeaninfobuilder.JPG
>
>
> MBeanInfoBuilder's get() method DEBUG logs all the MBeanAttributeInfo 
> attributes that it gathered. This can have a high memory churn that can be 
> easily avoided. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-16705) MBeanInfoBuilder puts unnecessary memory pressure on the system with a debug log

[Lukas Majercak (Jira)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-16705?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-16705:

Status: Patch Available  (was: In Progress)

> MBeanInfoBuilder puts unnecessary memory pressure on the system with a debug 
> log
> 
>
> Key: HADOOP-16705
> URL: https://issues.apache.org/jira/browse/HADOOP-16705
> Project: Hadoop Common
>  Issue Type: Improvement
>  Components: metrics
>Affects Versions: 2.9.2
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: mbeaninfobuilder.JPG
>
>
> MBeanInfoBuilder's get() method DEBUG logs all the MBeanAttributeInfo 
> attributes that it gathered. This can have a high memory churn that can be 
> easily avoided. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Comment Edited] (HADOOP-16705) MBeanInfoBuilder puts unnecessary memory pressure on the system with a debug log

[Lukas Majercak (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-16705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16973448#comment-16973448
 ] 

Lukas Majercak edited comment on HADOOP-16705 at 11/13/19 3:38 PM:
---

Attached is a screenshot from a 5minute java flight recording (HDFS DataNode 
process). It shows that during these 5 minutes, more than 45GB of memory was 
created from
{code:java}
MbeanInfoBuilder.get()
{code}


was (Author: lukmajercak):
Attached is a screenshot from a 5minute java flight recording. It shows that 
during these 5 minutes, more than 45GB of memory was created from
{code:java}
MbeanInfoBuilder.get()
{code}

> MBeanInfoBuilder puts unnecessary memory pressure on the system with a debug 
> log
> 
>
> Key: HADOOP-16705
> URL: https://issues.apache.org/jira/browse/HADOOP-16705
> Project: Hadoop Common
>  Issue Type: Improvement
>  Components: metrics
>Affects Versions: 2.9.2
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: mbeaninfobuilder.JPG
>
>
> MBeanInfoBuilder's get() method DEBUG logs all the MBeanAttributeInfo 
> attributes that it gathered. This can have a high memory churn that can be 
> easily avoided. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-16705) MBeanInfoBuilder puts unnecessary memory pressure on the system with a debug log

[Lukas Majercak (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-16705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16973448#comment-16973448
 ] 

Lukas Majercak commented on HADOOP-16705:
-

Attached is a screenshot from a 5minute java flight recording. It shows that 
during these 5 minutes, more than 45GB of memory was created from
{code:java}
MbeanInfoBuilder.get()
{code}

> MBeanInfoBuilder puts unnecessary memory pressure on the system with a debug 
> log
> 
>
> Key: HADOOP-16705
> URL: https://issues.apache.org/jira/browse/HADOOP-16705
> Project: Hadoop Common
>  Issue Type: Improvement
>  Components: metrics
>Affects Versions: 2.9.2
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: mbeaninfobuilder.JPG
>
>
> MBeanInfoBuilder's get() method DEBUG logs all the MBeanAttributeInfo 
> attributes that it gathered. This can have a high memory churn that can be 
> easily avoided. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-16705) MBeanInfoBuilder puts unnecessary memory pressure on the system with a debug log

[Lukas Majercak (Jira)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-16705?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-16705:

Attachment: mbeaninfobuilder.JPG

> MBeanInfoBuilder puts unnecessary memory pressure on the system with a debug 
> log
> 
>
> Key: HADOOP-16705
> URL: https://issues.apache.org/jira/browse/HADOOP-16705
> Project: Hadoop Common
>  Issue Type: Improvement
>  Components: metrics
>Affects Versions: 2.9.2
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: mbeaninfobuilder.JPG
>
>
> MBeanInfoBuilder's get() method DEBUG logs all the MBeanAttributeInfo 
> attributes that it gathered. This can have a high memory churn that can be 
> easily avoided. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Created] (HADOOP-16705) MBeanInfoBuilder puts unnecessary memory pressure on the system with a debug log

[Lukas Majercak (Jira)]

Lukas Majercak created HADOOP-16705:
---

 Summary: MBeanInfoBuilder puts unnecessary memory pressure on the 
system with a debug log
 Key: HADOOP-16705
 URL: https://issues.apache.org/jira/browse/HADOOP-16705
 Project: Hadoop Common
  Issue Type: Improvement
  Components: metrics
Affects Versions: 2.9.2
Reporter: Lukas Majercak
Assignee: Lukas Majercak


MBeanInfoBuilder's get() method DEBUG logs all the MBeanAttributeInfo 
attributes that it gathered. This can have a high memory churn that can be 
easily avoided. 





--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-16680) Add MicrosoftGraphGroupsMapping GroupMappingServiceProvider

[Lukas Majercak (Jira)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-16680?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-16680:

Affects Version/s: 3.3.0

> Add MicrosoftGraphGroupsMapping GroupMappingServiceProvider
> ---
>
> Key: HADOOP-16680
> URL: https://issues.apache.org/jira/browse/HADOOP-16680
> Project: Hadoop Common
>  Issue Type: New Feature
>Affects Versions: 3.3.0
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
>
> Add MicrosoftGraphGroupsMapping that uses 
> https://developer.microsoft.com/en-us/graph to retrieve user groups.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-16680) Add MicrosoftGraphGroupsMapping GroupMappingServiceProvider

[Lukas Majercak (Jira)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-16680?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-16680:

Component/s: security
 common
 auth

> Add MicrosoftGraphGroupsMapping GroupMappingServiceProvider
> ---
>
> Key: HADOOP-16680
> URL: https://issues.apache.org/jira/browse/HADOOP-16680
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: auth, common, security
>Affects Versions: 3.3.0
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
>
> Add MicrosoftGraphGroupsMapping that uses 
> https://developer.microsoft.com/en-us/graph to retrieve user groups.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-16680) Add MicrosoftGraphGroupsMapping GroupMappingServiceProvider

[Lukas Majercak (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-16680?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16965135#comment-16965135
 ] 

Lukas Majercak commented on HADOOP-16680:
-

Linked the PR, it will probably fail because of the okhttp changes needed from 
HADOOP-16679.

> Add MicrosoftGraphGroupsMapping GroupMappingServiceProvider
> ---
>
> Key: HADOOP-16680
> URL: https://issues.apache.org/jira/browse/HADOOP-16680
> Project: Hadoop Common
>  Issue Type: New Feature
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
>
> Add MicrosoftGraphGroupsMapping that uses 
> https://developer.microsoft.com/en-us/graph to retrieve user groups.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-16680) Add MicrosoftGraphGroupsMapping GroupMappingServiceProvider

[Lukas Majercak (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-16680?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16965109#comment-16965109
 ] 

Lukas Majercak commented on HADOOP-16680:
-

Will add a PR momentarily.

> Add MicrosoftGraphGroupsMapping GroupMappingServiceProvider
> ---
>
> Key: HADOOP-16680
> URL: https://issues.apache.org/jira/browse/HADOOP-16680
> Project: Hadoop Common
>  Issue Type: New Feature
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
>
> Add MicrosoftGraphGroupsMapping that uses 
> https://developer.microsoft.com/en-us/graph to retrieve user groups.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-16679) Switch to okhttp3

[Lukas Majercak (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-16679?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16965108#comment-16965108
 ] 

Lukas Majercak commented on HADOOP-16679:
-

[~elgoiri] I'm trying to add 
https://github.com/microsoftgraph/msgraph-sdk-java/ to be used for 
HADOOP-16680, but it uses okhttp3 which in turn uses the "okio" library. 

Our current okhttp uses okio version 1.6.0 whereas okhttp3 uses okio version 
1.15.0, which causes the dependency convergence checks to fail.

> Switch to okhttp3
> -
>
> Key: HADOOP-16679
> URL: https://issues.apache.org/jira/browse/HADOOP-16679
> Project: Hadoop Common
>  Issue Type: Improvement
>  Components: common, fs/azure
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
>
> Switch from okhttp 2.7.5 to 3.*



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Created] (HADOOP-16680) Add MicrosoftGraphGroupsMapping GroupMappingServiceProvider

[Lukas Majercak (Jira)]

Lukas Majercak created HADOOP-16680:
---

 Summary: Add MicrosoftGraphGroupsMapping 
GroupMappingServiceProvider
 Key: HADOOP-16680
 URL: https://issues.apache.org/jira/browse/HADOOP-16680
 Project: Hadoop Common
  Issue Type: New Feature
Reporter: Lukas Majercak
Assignee: Lukas Majercak


Add MicrosoftGraphGroupsMapping that uses 
https://developer.microsoft.com/en-us/graph to retrieve user groups.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Created] (HADOOP-16679) Switch to okhttp3

[Lukas Majercak (Jira)]

Lukas Majercak created HADOOP-16679:
---

 Summary: Switch to okhttp3
 Key: HADOOP-16679
 URL: https://issues.apache.org/jira/browse/HADOOP-16679
 Project: Hadoop Common
  Issue Type: Improvement
  Components: common, fs/azure
Reporter: Lukas Majercak
Assignee: Lukas Majercak


Switch from okhttp 2.7.5 to 3.*



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-16525) LDAP group mapping should include primary posix group

[Lukas Majercak (Jira)]

[ 
https://issues.apache.org/jira/browse/HADOOP-16525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16913628#comment-16913628
 ] 

Lukas Majercak commented on HADOOP-16525:
-

Sorry, not familiar with LDAP internals.

> LDAP group mapping should include primary posix group
> -
>
> Key: HADOOP-16525
> URL: https://issues.apache.org/jira/browse/HADOOP-16525
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: Todd Lipcon
>Assignee: Todd Lipcon
>Priority: Major
> Attachments: hadoop-16525.txt
>
>
> When configuring LdapGroupsMapping against FreeIPA, the current 
> implementation searches for groups which have the user listed as a member. 
> This catches all "secondary" groups but misses the user's primary group 
> (typically the same name as their username). We should include a search for a 
> group matching the user's primary gidNumber in the group search.



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-15976) NameNode Performance degradation When Single LdapServer become a bottleneck in Ldap-based mapping module

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15976?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16868457#comment-16868457
 ] 

Lukas Majercak commented on HADOOP-15976:
-

We do not use LDAP anymore, but this sounds reasonable. The only thing I'd say 
is that now LdapGroupsMapping has a failover feature, so you might wanna look 
into that too, maybe just override failover() function and return immediately. 
Anyway, this should be clearer once we have unit tests for this new 
MultiLdapGroupsMapping

> NameNode Performance degradation When Single LdapServer become a  bottleneck 
> in Ldap-based mapping module 
> --
>
> Key: HADOOP-15976
> URL: https://issues.apache.org/jira/browse/HADOOP-15976
> Project: Hadoop Common
>  Issue Type: Improvement
>  Components: common
>Affects Versions: 3.1.1
>Reporter: fengyongshe
>Assignee: fengyongshe
>Priority: Major
> Attachments: HADOOP-15976.patch, image003(12-05-1(12-05-10-36-26).jpg
>
>
> 2000+ nodes cluster, We use OpenLdap to manager users and groups . when 
> LdapGroupsMapping used , Group look-up cause segment fault include NameNode 
> Performance degradation & name node crashes . 
> WARN security.Groups: Potential performance problem:
>  getGroups(user=) took 46817 milliseconds.
>  INFO namenode.FSNamesysatem(FSNamesystemLoclk.java:writeUnlock(252))- 
> FSNameSystem write lock held for 46817 ms via java.lang.thread.getStackTrace
> We Found the Ldap Server become the bottleneck for NN operations， Single Ldap 
> Server  only support hundred request per seconds
> ps. The Server was running nslcd 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-16125) Support multiple bind users in LdapGroupsMapping

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-16125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16773447#comment-16773447
 ] 

Lukas Majercak commented on HADOOP-16125:
-

Thanks [~elgoiri]. I've added patch 004 with a small change: changing the log 
message in switchBindUser to only show the exception message rather than the 
full stack trace.

> Support multiple bind users in LdapGroupsMapping
> 
>
> Key: HADOOP-16125
> URL: https://issues.apache.org/jira/browse/HADOOP-16125
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-16125.001.patch, HADOOP-16125.002.patch, 
> HADOOP-16125.003.patch, HADOOP-16125.004.patch
>
>
> Currently, LdapGroupsMapping supports only a single user to bind to when 
> connecting to LDAP. This can be problematic if such user's password needs to 
> be reset. 
> The proposal is to support multiple such users and switch between them if 
> necessary, more info in GroupsMapping.md / core-default.xml in the patches.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-16125) Support multiple bind users in LdapGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-16125?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-16125:

Attachment: HADOOP-16125.004.patch

> Support multiple bind users in LdapGroupsMapping
> 
>
> Key: HADOOP-16125
> URL: https://issues.apache.org/jira/browse/HADOOP-16125
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-16125.001.patch, HADOOP-16125.002.patch, 
> HADOOP-16125.003.patch, HADOOP-16125.004.patch
>
>
> Currently, LdapGroupsMapping supports only a single user to bind to when 
> connecting to LDAP. This can be problematic if such user's password needs to 
> be reset. 
> The proposal is to support multiple such users and switch between them if 
> necessary, more info in GroupsMapping.md / core-default.xml in the patches.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-16125) Support multiple bind users in LdapGroupsMapping

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-16125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772418#comment-16772418
 ] 

Lukas Majercak commented on HADOOP-16125:
-

Patch003 to fix findbugs/checkstyle/whitespace.

> Support multiple bind users in LdapGroupsMapping
> 
>
> Key: HADOOP-16125
> URL: https://issues.apache.org/jira/browse/HADOOP-16125
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-16125.001.patch, HADOOP-16125.002.patch, 
> HADOOP-16125.003.patch
>
>
> Currently, LdapGroupsMapping supports only a single user to bind to when 
> connecting to LDAP. This can be problematic if such user's password needs to 
> be reset. 
> The proposal is to support multiple such users and switch between them if 
> necessary, more info in GroupsMapping.md / core-default.xml in the patches.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-16125) Support multiple bind users in LdapGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-16125?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-16125:

Attachment: HADOOP-16125.003.patch

> Support multiple bind users in LdapGroupsMapping
> 
>
> Key: HADOOP-16125
> URL: https://issues.apache.org/jira/browse/HADOOP-16125
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-16125.001.patch, HADOOP-16125.002.patch, 
> HADOOP-16125.003.patch
>
>
> Currently, LdapGroupsMapping supports only a single user to bind to when 
> connecting to LDAP. This can be problematic if such user's password needs to 
> be reset. 
> The proposal is to support multiple such users and switch between them if 
> necessary, more info in GroupsMapping.md / core-default.xml in the patches.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-16125) Support multiple bind users in LdapGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-16125?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-16125:

Attachment: HADOOP-16125.002.patch

> Support multiple bind users in LdapGroupsMapping
> 
>
> Key: HADOOP-16125
> URL: https://issues.apache.org/jira/browse/HADOOP-16125
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-16125.001.patch, HADOOP-16125.002.patch
>
>
> Currently, LdapGroupsMapping supports only a single user to bind to when 
> connecting to LDAP. This can be problematic if such user's password needs to 
> be reset. 
> The proposal is to support multiple such users and switch between them if 
> necessary, more info in GroupsMapping.md / core-default.xml in the patches.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-16125) Support multiple bind users in LdapGroupsMapping

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-16125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772330#comment-16772330
 ] 

Lukas Majercak commented on HADOOP-16125:
-

Add DummyLdapCtxFactory.reset() in patch002.

> Support multiple bind users in LdapGroupsMapping
> 
>
> Key: HADOOP-16125
> URL: https://issues.apache.org/jira/browse/HADOOP-16125
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-16125.001.patch, HADOOP-16125.002.patch
>
>
> Currently, LdapGroupsMapping supports only a single user to bind to when 
> connecting to LDAP. This can be problematic if such user's password needs to 
> be reset. 
> The proposal is to support multiple such users and switch between them if 
> necessary, more info in GroupsMapping.md / core-default.xml in the patches.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-16125) Support multiple bind users in LdapGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-16125?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-16125:

Status: Patch Available  (was: In Progress)

> Support multiple bind users in LdapGroupsMapping
> 
>
> Key: HADOOP-16125
> URL: https://issues.apache.org/jira/browse/HADOOP-16125
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-16125.001.patch
>
>
> Currently, LdapGroupsMapping supports only a single user to bind to when 
> connecting to LDAP. This can be problematic if such user's password needs to 
> be reset. 
> The proposal is to support multiple such users and switch between them if 
> necessary, more info in GroupsMapping.md / core-default.xml in the patches.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-16125) Support multiple bind users in LdapGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-16125?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-16125:

Attachment: HADOOP-16125.001.patch

> Support multiple bind users in LdapGroupsMapping
> 
>
> Key: HADOOP-16125
> URL: https://issues.apache.org/jira/browse/HADOOP-16125
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-16125.001.patch
>
>
> Currently, LdapGroupsMapping supports only a single user to bind to when 
> connecting to LDAP. This can be problematic if such user's password needs to 
> be reset. 
> The proposal is to support multiple such users and switch between them if 
> necessary, more info in GroupsMapping.md / core-default.xml in the patches.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Work started] (HADOOP-16125) Support multiple bind users in LdapGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-16125?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Work on HADOOP-16125 started by Lukas Majercak.
---
> Support multiple bind users in LdapGroupsMapping
> 
>
> Key: HADOOP-16125
> URL: https://issues.apache.org/jira/browse/HADOOP-16125
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-16125.001.patch
>
>
> Currently, LdapGroupsMapping supports only a single user to bind to when 
> connecting to LDAP. This can be problematic if such user's password needs to 
> be reset. 
> The proposal is to support multiple such users and switch between them if 
> necessary, more info in GroupsMapping.md / core-default.xml in the patches.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-16125) Support multiple bind users in LdapGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-16125?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-16125:

Description: 
Currently, LdapGroupsMapping supports only a single user to bind to when 
connecting to LDAP. This can be problematic if such user's password needs to be 
reset. 

The proposal is to support multiple such users and switch between them if 
necessary, more info in GroupsMapping.md / core-default.xml in the patches.

> Support multiple bind users in LdapGroupsMapping
> 
>
> Key: HADOOP-16125
> URL: https://issues.apache.org/jira/browse/HADOOP-16125
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
>
> Currently, LdapGroupsMapping supports only a single user to bind to when 
> connecting to LDAP. This can be problematic if such user's password needs to 
> be reset. 
> The proposal is to support multiple such users and switch between them if 
> necessary, more info in GroupsMapping.md / core-default.xml in the patches.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Created] (HADOOP-16125) Support multiple bind users in LdapGroupsMapping

[Lukas Majercak (JIRA)]

Lukas Majercak created HADOOP-16125:
---

 Summary: Support multiple bind users in LdapGroupsMapping
 Key: HADOOP-16125
 URL: https://issues.apache.org/jira/browse/HADOOP-16125
 Project: Hadoop Common
  Issue Type: New Feature
  Components: common, security
Reporter: Lukas Majercak
Assignee: Lukas Majercak






--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-16045) Don't run TestDU on Windows

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-16045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16742457#comment-16742457
 ] 

Lukas Majercak commented on HADOOP-16045:
-

Thanks [~elgoiri]. We'd need to backport HADOOP-14729 for this to be applicable 
to branch-2, but I don't think that's necessary.

> Don't run TestDU on Windows
> ---
>
> Key: HADOOP-16045
> URL: https://issues.apache.org/jira/browse/HADOOP-16045
> Project: Hadoop Common
>  Issue Type: Sub-task
>  Components: common, test
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Trivial
> Fix For: 3.0.4, 3.3.0, 3.2.1, 3.1.3
>
> Attachments: HADOOP-16045.001.patch
>
>
> DU is not supported on Windows, ignore the test.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-16045) Don't run TestDU on Windows

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-16045?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-16045:

Status: Patch Available  (was: Open)

> Don't run TestDU on Windows
> ---
>
> Key: HADOOP-16045
> URL: https://issues.apache.org/jira/browse/HADOOP-16045
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common, test
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Trivial
> Attachments: HADOOP-16045.001.patch
>
>
> DU is not supported on Windows, ignore the test.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-16045) Don't run TestDU on Windows

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-16045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16740899#comment-16740899
 ] 

Lukas Majercak commented on HADOOP-16045:
-

Windows uses WindowsGetSpaceUsed

> Don't run TestDU on Windows
> ---
>
> Key: HADOOP-16045
> URL: https://issues.apache.org/jira/browse/HADOOP-16045
> Project: Hadoop Common
>  Issue Type: Sub-task
>  Components: common, test
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Trivial
> Attachments: HADOOP-16045.001.patch
>
>
> DU is not supported on Windows, ignore the test.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-16045) Don't run TestDU on Windows

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-16045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16740897#comment-16740897
 ] 

Lukas Majercak commented on HADOOP-16045:
-

DU line 72

> Don't run TestDU on Windows
> ---
>
> Key: HADOOP-16045
> URL: https://issues.apache.org/jira/browse/HADOOP-16045
> Project: Hadoop Common
>  Issue Type: Sub-task
>  Components: common, test
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Trivial
> Attachments: HADOOP-16045.001.patch
>
>
> DU is not supported on Windows, ignore the test.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Created] (HADOOP-16045) Don't run TestDU on Windows

[Lukas Majercak (JIRA)]

Lukas Majercak created HADOOP-16045:
---

 Summary: Don't run TestDU on Windows
 Key: HADOOP-16045
 URL: https://issues.apache.org/jira/browse/HADOOP-16045
 Project: Hadoop Common
  Issue Type: Bug
  Components: common, test
Reporter: Lukas Majercak
Assignee: Lukas Majercak


DU is not supported on Windows, ignore the test.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-16045) Don't run TestDU on Windows

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-16045?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-16045:

Attachment: HADOOP-16045.001.patch

> Don't run TestDU on Windows
> ---
>
> Key: HADOOP-16045
> URL: https://issues.apache.org/jira/browse/HADOOP-16045
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common, test
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Trivial
> Attachments: HADOOP-16045.001.patch
>
>
> DU is not supported on Windows, ignore the test.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-15995) Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when using multiple providers through CompositeGroupsMapping

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16718330#comment-16718330
 ] 

Lukas Majercak commented on HADOOP-15995:
-

I changed it from conf to config because checkstyle was complaining about 
hiding a filed (the LdapGroupMapping's member variable named "conf" as well).

> Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when 
> using multiple providers through CompositeGroupsMapping
> -
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch, HADOOP-15995.002.patch, 
> HADOOP-15995.003.patch, HADOOP-15995.004.patch, HADOOP-15995.005.patch, 
> HADOOP-15995.006.patch, HADOOP-15995.007.patch
>
>
> Currently, the property name hadoop.security.group.mapping.ldap.bind.password 
> is used as an alias to get password from CredentialProviders. This has a big 
> issue, which is that when we configure multiple LdapGroupsMapping providers 
> through CompositeGroupsMapping, they will all have the same alias, and won't 
> be able to be distinguished. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Comment Edited] (HADOOP-15995) Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when using multiple providers through CompositeGroupsMapping

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16718330#comment-16718330
 ] 

Lukas Majercak edited comment on HADOOP-15995 at 12/12/18 1:24 AM:
---

I changed it from conf to config because checkstyle was complaining about 
hiding a field (the LdapGroupMapping's member variable named "conf" as well).


was (Author: lukmajercak):
I changed it from conf to config because checkstyle was complaining about 
hiding a filed (the LdapGroupMapping's member variable named "conf" as well).

> Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when 
> using multiple providers through CompositeGroupsMapping
> -
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch, HADOOP-15995.002.patch, 
> HADOOP-15995.003.patch, HADOOP-15995.004.patch, HADOOP-15995.005.patch, 
> HADOOP-15995.006.patch, HADOOP-15995.007.patch
>
>
> Currently, the property name hadoop.security.group.mapping.ldap.bind.password 
> is used as an alias to get password from CredentialProviders. This has a big 
> issue, which is that when we configure multiple LdapGroupsMapping providers 
> through CompositeGroupsMapping, they will all have the same alias, and won't 
> be able to be distinguished. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Comment Edited] (HADOOP-15995) Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when using multiple providers through CompositeGroupsMapping

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16718330#comment-16718330
 ] 

Lukas Majercak edited comment on HADOOP-15995 at 12/12/18 1:25 AM:
---

Thanks! I changed it from conf to config because checkstyle was complaining 
about hiding a field (the LdapGroupMapping's member variable named "conf" as 
well).


was (Author: lukmajercak):
I changed it from conf to config because checkstyle was complaining about 
hiding a field (the LdapGroupMapping's member variable named "conf" as well).

> Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when 
> using multiple providers through CompositeGroupsMapping
> -
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch, HADOOP-15995.002.patch, 
> HADOOP-15995.003.patch, HADOOP-15995.004.patch, HADOOP-15995.005.patch, 
> HADOOP-15995.006.patch, HADOOP-15995.007.patch
>
>
> Currently, the property name hadoop.security.group.mapping.ldap.bind.password 
> is used as an alias to get password from CredentialProviders. This has a big 
> issue, which is that when we configure multiple LdapGroupsMapping providers 
> through CompositeGroupsMapping, they will all have the same alias, and won't 
> be able to be distinguished. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-15995) Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when using multiple providers through CompositeGroupsMapping

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16718272#comment-16718272
 ] 

Lukas Majercak commented on HADOOP-15995:
-

I agree some of the configs from LDAPGroupsMapping lack documentation. We can 
create a separate JIRA to track it.

> Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when 
> using multiple providers through CompositeGroupsMapping
> -
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch, HADOOP-15995.002.patch, 
> HADOOP-15995.003.patch, HADOOP-15995.004.patch, HADOOP-15995.005.patch, 
> HADOOP-15995.006.patch, HADOOP-15995.007.patch
>
>
> Currently, the property name hadoop.security.group.mapping.ldap.bind.password 
> is used as an alias to get password from CredentialProviders. This has a big 
> issue, which is that when we configure multiple LdapGroupsMapping providers 
> through CompositeGroupsMapping, they will all have the same alias, and won't 
> be able to be distinguished. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-15995) Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when using multiple providers through CompositeGroupsMapping

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16718005#comment-16718005
 ] 

Lukas Majercak commented on HADOOP-15995:
-

Patch007 changes to use testConfGetPasswordUsingAlias in 
TestLdapGroupsMapping.testConfGetPasswordUsingAlias to avoid javac warnings

> Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when 
> using multiple providers through CompositeGroupsMapping
> -
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch, HADOOP-15995.002.patch, 
> HADOOP-15995.003.patch, HADOOP-15995.004.patch, HADOOP-15995.005.patch, 
> HADOOP-15995.006.patch, HADOOP-15995.007.patch
>
>
> Currently, the property name hadoop.security.group.mapping.ldap.bind.password 
> is used as an alias to get password from CredentialProviders. This has a big 
> issue, which is that when we configure multiple LdapGroupsMapping providers 
> through CompositeGroupsMapping, they will all have the same alias, and won't 
> be able to be distinguished. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15995) Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when using multiple providers through CompositeGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15995:

Attachment: HADOOP-15995.007.patch

> Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when 
> using multiple providers through CompositeGroupsMapping
> -
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch, HADOOP-15995.002.patch, 
> HADOOP-15995.003.patch, HADOOP-15995.004.patch, HADOOP-15995.005.patch, 
> HADOOP-15995.006.patch, HADOOP-15995.007.patch
>
>
> Currently, the property name hadoop.security.group.mapping.ldap.bind.password 
> is used as an alias to get password from CredentialProviders. This has a big 
> issue, which is that when we configure multiple LdapGroupsMapping providers 
> through CompositeGroupsMapping, they will all have the same alias, and won't 
> be able to be distinguished. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-15995) Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when using multiple providers through CompositeGroupsMapping

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16717950#comment-16717950
 ] 

Lukas Majercak commented on HADOOP-15995:
-

[~lmccay], does the latest patch look good to you? Thanks!

> Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when 
> using multiple providers through CompositeGroupsMapping
> -
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch, HADOOP-15995.002.patch, 
> HADOOP-15995.003.patch, HADOOP-15995.004.patch, HADOOP-15995.005.patch, 
> HADOOP-15995.006.patch
>
>
> Currently, the property name hadoop.security.group.mapping.ldap.bind.password 
> is used as an alias to get password from CredentialProviders. This has a big 
> issue, which is that when we configure multiple LdapGroupsMapping providers 
> through CompositeGroupsMapping, they will all have the same alias, and won't 
> be able to be distinguished. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15995) Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when using multiple providers through CompositeGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15995:

Attachment: HADOOP-15995.006.patch

> Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when 
> using multiple providers through CompositeGroupsMapping
> -
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch, HADOOP-15995.002.patch, 
> HADOOP-15995.003.patch, HADOOP-15995.004.patch, HADOOP-15995.005.patch, 
> HADOOP-15995.006.patch
>
>
> Currently, the property name hadoop.security.group.mapping.ldap.bind.password 
> is used as an alias to get password from CredentialProviders. This has a big 
> issue, which is that when we configure multiple LdapGroupsMapping providers 
> through CompositeGroupsMapping, they will all have the same alias, and won't 
> be able to be distinguished. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-15995) Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when using multiple providers through CompositeGroupsMapping

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16717867#comment-16717867
 ] 

Lukas Majercak commented on HADOOP-15995:
-

I changed to getPasswordFromCredentialProviders for the alias approach, left 
the others the same.

> Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when 
> using multiple providers through CompositeGroupsMapping
> -
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch, HADOOP-15995.002.patch, 
> HADOOP-15995.003.patch, HADOOP-15995.004.patch, HADOOP-15995.005.patch, 
> HADOOP-15995.006.patch
>
>
> Currently, the property name hadoop.security.group.mapping.ldap.bind.password 
> is used as an alias to get password from CredentialProviders. This has a big 
> issue, which is that when we configure multiple LdapGroupsMapping providers 
> through CompositeGroupsMapping, they will all have the same alias, and won't 
> be able to be distinguished. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15995) Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when using multiple providers through CompositeGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15995:

Attachment: HADOOP-15995.005.patch

> Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when 
> using multiple providers through CompositeGroupsMapping
> -
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch, HADOOP-15995.002.patch, 
> HADOOP-15995.003.patch, HADOOP-15995.004.patch, HADOOP-15995.005.patch
>
>
> Currently, the property name hadoop.security.group.mapping.ldap.bind.password 
> is used as an alias to get password from CredentialProviders. This has a big 
> issue, which is that when we configure multiple LdapGroupsMapping providers 
> through CompositeGroupsMapping, they will all have the same alias, and won't 
> be able to be distinguished. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-15995) Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when using multiple providers through CompositeGroupsMapping

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16717767#comment-16717767
 ] 

Lukas Majercak commented on HADOOP-15995:
-

Thanks [~elgoiri]. I fixed the style issue in the test.

For the deprecated method. I don't really know why this was deprecated, since 
we still used it. Also, the comment says to use 
getPasswordFromCredentialProviders, but conf.getPassword interally uses just 
that, so I don't know what the big deal is and personally would just remove the 
Deprecated annotation. It's not even like it's a primary api of the class, it's 
just a utility method for getting the password.

> Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when 
> using multiple providers through CompositeGroupsMapping
> -
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch, HADOOP-15995.002.patch, 
> HADOOP-15995.003.patch, HADOOP-15995.004.patch, HADOOP-15995.005.patch
>
>
> Currently, the property name hadoop.security.group.mapping.ldap.bind.password 
> is used as an alias to get password from CredentialProviders. This has a big 
> issue, which is that when we configure multiple LdapGroupsMapping providers 
> through CompositeGroupsMapping, they will all have the same alias, and won't 
> be able to be distinguished. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-15995) Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when using multiple providers through CompositeGroupsMapping

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16715795#comment-16715795
 ] 

Lukas Majercak commented on HADOOP-15995:
-

For some reason, yetus still picked patch002.

> Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when 
> using multiple providers through CompositeGroupsMapping
> -
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch, HADOOP-15995.002.patch, 
> HADOOP-15995.003.patch, HADOOP-15995.004.patch
>
>
> Currently, the property name hadoop.security.group.mapping.ldap.bind.password 
> is used as an alias to get password from CredentialProviders. This has a big 
> issue, which is that when we configure multiple LdapGroupsMapping providers 
> through CompositeGroupsMapping, they will all have the same alias, and won't 
> be able to be distinguished. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15995) Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when using multiple providers through CompositeGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15995:

Attachment: HADOOP-15995.004.patch

> Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when 
> using multiple providers through CompositeGroupsMapping
> -
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch, HADOOP-15995.002.patch, 
> HADOOP-15995.003.patch, HADOOP-15995.004.patch
>
>
> Currently, the property name hadoop.security.group.mapping.ldap.bind.password 
> is used as an alias to get password from CredentialProviders. This has a big 
> issue, which is that when we configure multiple LdapGroupsMapping providers 
> through CompositeGroupsMapping, they will all have the same alias, and won't 
> be able to be distinguished. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15995) Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when using multiple providers through CompositeGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15995:

Status: Patch Available  (was: Open)

> Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when 
> using multiple providers through CompositeGroupsMapping
> -
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch, HADOOP-15995.002.patch, 
> HADOOP-15995.003.patch, HADOOP-15995.004.patch
>
>
> Currently, the property name hadoop.security.group.mapping.ldap.bind.password 
> is used as an alias to get password from CredentialProviders. This has a big 
> issue, which is that when we configure multiple LdapGroupsMapping providers 
> through CompositeGroupsMapping, they will all have the same alias, and won't 
> be able to be distinguished. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15995) Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when using multiple providers through CompositeGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15995:

Status: Open  (was: Patch Available)

> Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when 
> using multiple providers through CompositeGroupsMapping
> -
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch, HADOOP-15995.002.patch, 
> HADOOP-15995.003.patch, HADOOP-15995.004.patch
>
>
> Currently, the property name hadoop.security.group.mapping.ldap.bind.password 
> is used as an alias to get password from CredentialProviders. This has a big 
> issue, which is that when we configure multiple LdapGroupsMapping providers 
> through CompositeGroupsMapping, they will all have the same alias, and won't 
> be able to be distinguished. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-15995) Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when using multiple providers through CompositeGroupsMapping

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16715772#comment-16715772
 ] 

Lukas Majercak commented on HADOOP-15995:
-

Another checkstyle issue fixed in patch004.

> Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when 
> using multiple providers through CompositeGroupsMapping
> -
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch, HADOOP-15995.002.patch, 
> HADOOP-15995.003.patch, HADOOP-15995.004.patch
>
>
> Currently, the property name hadoop.security.group.mapping.ldap.bind.password 
> is used as an alias to get password from CredentialProviders. This has a big 
> issue, which is that when we configure multiple LdapGroupsMapping providers 
> through CompositeGroupsMapping, they will all have the same alias, and won't 
> be able to be distinguished. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15995) Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when using multiple providers through CompositeGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15995:

Attachment: HADOOP-15995.003.patch

> Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when 
> using multiple providers through CompositeGroupsMapping
> -
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch, HADOOP-15995.002.patch, 
> HADOOP-15995.003.patch
>
>
> Currently, the property name hadoop.security.group.mapping.ldap.bind.password 
> is used as an alias to get password from CredentialProviders. This has a big 
> issue, which is that when we configure multiple LdapGroupsMapping providers 
> through CompositeGroupsMapping, they will all have the same alias, and won't 
> be able to be distinguished. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-15995) Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when using multiple providers through CompositeGroupsMapping

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16715707#comment-16715707
 ] 

Lukas Majercak commented on HADOOP-15995:
-

Patch 003 to fix the checkstyle issue.

> Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when 
> using multiple providers through CompositeGroupsMapping
> -
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch, HADOOP-15995.002.patch, 
> HADOOP-15995.003.patch
>
>
> Currently, the property name hadoop.security.group.mapping.ldap.bind.password 
> is used as an alias to get password from CredentialProviders. This has a big 
> issue, which is that when we configure multiple LdapGroupsMapping providers 
> through CompositeGroupsMapping, they will all have the same alias, and won't 
> be able to be distinguished. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15995) LdapGroupsMapping should use the bind.password config value as credential alias

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15995:

Attachment: HADOOP-15995.002.patch

> LdapGroupsMapping should use the bind.password config value as credential 
> alias
> ---
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch, HADOOP-15995.002.patch
>
>
> Currently, the property name hadoop.security.group.mapping.ldap.bind.password 
> is used as an alias to get password from CredentialProviders. This has a big 
> issue, which is that when we configure multiple LdapGroupsMapping providers 
> through CompositeGroupsMapping, they will all have the same alias, and won't 
> be able to be distinguished. The proposal is to use the value of the property 
> instead, which would fix this issue.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15995) Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when using multiple providers through CompositeGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15995:

Attachment: HADOOP-15995.002.patch

> Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when 
> using multiple providers through CompositeGroupsMapping
> -
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch, HADOOP-15995.002.patch
>
>
> Currently, the property name hadoop.security.group.mapping.ldap.bind.password 
> is used as an alias to get password from CredentialProviders. This has a big 
> issue, which is that when we configure multiple LdapGroupsMapping providers 
> through CompositeGroupsMapping, they will all have the same alias, and won't 
> be able to be distinguished. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15995) Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when using multiple providers through CompositeGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15995:

Attachment: (was: HADOOP-15995.002.patch)

> Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when 
> using multiple providers through CompositeGroupsMapping
> -
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch, HADOOP-15995.002.patch
>
>
> Currently, the property name hadoop.security.group.mapping.ldap.bind.password 
> is used as an alias to get password from CredentialProviders. This has a big 
> issue, which is that when we configure multiple LdapGroupsMapping providers 
> through CompositeGroupsMapping, they will all have the same alias, and won't 
> be able to be distinguished. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15995) Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when using multiple providers through CompositeGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15995:

Description: Currently, the property name 
hadoop.security.group.mapping.ldap.bind.password is used as an alias to get 
password from CredentialProviders. This has a big issue, which is that when we 
configure multiple LdapGroupsMapping providers through CompositeGroupsMapping, 
they will all have the same alias, and won't be able to be distinguished.   
(was: Currently, the property name 
hadoop.security.group.mapping.ldap.bind.password is used as an alias to get 
password from CredentialProviders. This has a big issue, which is that when we 
configure multiple LdapGroupsMapping providers through CompositeGroupsMapping, 
they will all have the same alias, and won't be able to be distinguished. The 
proposal is to use the value of the property instead, which would fix this 
issue.)

> Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when 
> using multiple providers through CompositeGroupsMapping
> -
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch, HADOOP-15995.002.patch
>
>
> Currently, the property name hadoop.security.group.mapping.ldap.bind.password 
> is used as an alias to get password from CredentialProviders. This has a big 
> issue, which is that when we configure multiple LdapGroupsMapping providers 
> through CompositeGroupsMapping, they will all have the same alias, and won't 
> be able to be distinguished. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15995) Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when using multiple providers through CompositeGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15995:

Summary: Add ldap.bind.password.alias in LdapGroupsMapping to distinguish 
aliases when using multiple providers through CompositeGroupsMapping  (was: 
LdapGroupsMapping should use the bind.password config value as credential alias)

> Add ldap.bind.password.alias in LdapGroupsMapping to distinguish aliases when 
> using multiple providers through CompositeGroupsMapping
> -
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch, HADOOP-15995.002.patch
>
>
> Currently, the property name hadoop.security.group.mapping.ldap.bind.password 
> is used as an alias to get password from CredentialProviders. This has a big 
> issue, which is that when we configure multiple LdapGroupsMapping providers 
> through CompositeGroupsMapping, they will all have the same alias, and won't 
> be able to be distinguished. The proposal is to use the value of the property 
> instead, which would fix this issue.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-15995) LdapGroupsMapping should use the bind.password config value as credential alias

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16715614#comment-16715614
 ] 

Lukas Majercak commented on HADOOP-15995:
-

Added .ldap.bind.password.alias in patch002.

> LdapGroupsMapping should use the bind.password config value as credential 
> alias
> ---
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch, HADOOP-15995.002.patch
>
>
> Currently, the property name hadoop.security.group.mapping.ldap.bind.password 
> is used as an alias to get password from CredentialProviders. This has a big 
> issue, which is that when we configure multiple LdapGroupsMapping providers 
> through CompositeGroupsMapping, they will all have the same alias, and won't 
> be able to be distinguished. The proposal is to use the value of the property 
> instead, which would fix this issue.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-15995) LdapGroupsMapping should use the bind.password config value as credential alias

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16715570#comment-16715570
 ] 

Lukas Majercak commented on HADOOP-15995:
-

I guess we could add a "ldap.bind.password.alias" configuration, and try that 
first, if we don't find anything we just fallback to the current version?

> LdapGroupsMapping should use the bind.password config value as credential 
> alias
> ---
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch
>
>
> Currently, the property name hadoop.security.group.mapping.ldap.bind.password 
> is used as an alias to get password from CredentialProviders. This has a big 
> issue, which is that when we configure multiple LdapGroupsMapping providers 
> through CompositeGroupsMapping, they will all have the same alias, and won't 
> be able to be distinguished. The proposal is to use the value of the property 
> instead, which would fix this issue.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-15995) LdapGroupsMapping should use the bind.password config value as credential alias

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16715569#comment-16715569
 ] 

Lukas Majercak commented on HADOOP-15995:
-

Mm, not sure about adding a new property, as the password management is already 
quite convoluted in the ldapgroupsmapping. For your second suggestion, we would 
need to change the logic in CompositeGroupsMapping, as it currently creates a 
copy of the config and populates the needed configuration keys and stripping 
the provider name.

> LdapGroupsMapping should use the bind.password config value as credential 
> alias
> ---
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch
>
>
> Currently, the property name hadoop.security.group.mapping.ldap.bind.password 
> is used as an alias to get password from CredentialProviders. This has a big 
> issue, which is that when we configure multiple LdapGroupsMapping providers 
> through CompositeGroupsMapping, they will all have the same alias, and won't 
> be able to be distinguished. The proposal is to use the value of the property 
> instead, which would fix this issue.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15995) LdapGroupsMapping should use the bind.password config value as credential alias

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15995:

Assignee: Lukas Majercak
  Status: Patch Available  (was: Open)

> LdapGroupsMapping should use the bind.password config value as credential 
> alias
> ---
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch
>
>




--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-15995) LdapGroupsMapping should use the bind.password config value as credential alias

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16715554#comment-16715554
 ] 

Lukas Majercak commented on HADOOP-15995:
-

Thanks for the quick comment [~lmccay]. 

Say i have two providers:
hadoop.security.group.mapping=org.apache.hadoop.security.CompositeGroupsMapping
hadoop.security.group.mapping.providers=a,b
hadoop.security.group.mapping.provider.a=org.apache.hadoop.security.LdapGroupsMapping
hadoop.security.group.mapping.provider.b=org.apache.hadoop.security.LdapGroupsMapping

hadoop.security.group.mapping.provider.a.ldap.bind.password=foo
hadoop.security.group.mapping.provider.b.ldap.bind.password=bar

Both providers will use 
"hadoop.security.group.mapping.provider.ldap.bind.password" as the alias to get 
password from config. i.e. they won't be distinguishable.

> LdapGroupsMapping should use the bind.password config value as credential 
> alias
> ---
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch
>
>
> Currently, the property name hadoop.security.group.mapping.ldap.bind.password 
> is used as an alias to get password from CredentialProviders. This has a big 
> issue, which is that when we configure multiple LdapGroupsMapping providers 
> through CompositeGroupsMapping, they will all have the same alias, and won't 
> be able to be distinguished. The proposal is to use the value of the property 
> instead, which would fix this issue.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15995) LdapGroupsMapping should use the bind.password config value as credential alias

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15995:

Description: Currently, the property name 
hadoop.security.group.mapping.ldap.bind.password is used as an alias to get 
password from CredentialProviders. This has a big issue, which is that when we 
configure multiple LdapGroupsMapping providers through CompositeGroupsMapping, 
they will all have the same alias, and won't be able to be distinguished. The 
proposal is to use the value of the property instead, which would fix this 
issue.

> LdapGroupsMapping should use the bind.password config value as credential 
> alias
> ---
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch
>
>
> Currently, the property name hadoop.security.group.mapping.ldap.bind.password 
> is used as an alias to get password from CredentialProviders. This has a big 
> issue, which is that when we configure multiple LdapGroupsMapping providers 
> through CompositeGroupsMapping, they will all have the same alias, and won't 
> be able to be distinguished. The proposal is to use the value of the property 
> instead, which would fix this issue.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15995) LdapGroupsMapping should use the bind.password config value as credential alias

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15995?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15995:

Attachment: HADOOP-15995.001.patch

> LdapGroupsMapping should use the bind.password config value as credential 
> alias
> ---
>
> Key: HADOOP-15995
> URL: https://issues.apache.org/jira/browse/HADOOP-15995
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: common
>Reporter: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15995.001.patch
>
>




--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Created] (HADOOP-15995) LdapGroupsMapping should use the bind.password config value as credential alias

[Lukas Majercak (JIRA)]

Lukas Majercak created HADOOP-15995:
---

 Summary: LdapGroupsMapping should use the bind.password config 
value as credential alias
 Key: HADOOP-15995
 URL: https://issues.apache.org/jira/browse/HADOOP-15995
 Project: Hadoop Common
  Issue Type: Bug
  Components: common
Reporter: Lukas Majercak






--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15950) Failover for LdapGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15950?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15950:

Attachment: HADOOP-15950.011.branch-2.patch

> Failover for LdapGroupsMapping
> --
>
> Key: HADOOP-15950
> URL: https://issues.apache.org/jira/browse/HADOOP-15950
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Fix For: 2.10.0, 3.0.4, 3.3.0, 3.2.1, 2.9.3, 3.1.3
>
> Attachments: HADOOP-15950.001.patch, HADOOP-15950.002.patch, 
> HADOOP-15950.003.patch, HADOOP-15950.004.patch, HADOOP-15950.005.patch, 
> HADOOP-15950.006.patch, HADOOP-15950.007.patch, HADOOP-15950.008.patch, 
> HADOOP-15950.009.patch, HADOOP-15950.010.patch, 
> HADOOP-15950.011.branch-2.patch
>
>
> Currently, LdapGroupsMapping supports only a single ldap server url, this can 
> obviously cause issues if the ldap instance goes down. This JIRA attempts to 
> improve this by allowing users to list multiple ldap server urls, and 
> performing a failover if we detect any issues.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-15950) Failover for LdapGroupsMapping

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16707807#comment-16707807
 ] 

Lukas Majercak commented on HADOOP-15950:
-

Posted patch 011 to change ldapUrls in 
TestLdapGroupsMappingWithFailover.testFailover to be final.

> Failover for LdapGroupsMapping
> --
>
> Key: HADOOP-15950
> URL: https://issues.apache.org/jira/browse/HADOOP-15950
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Fix For: 2.10.0, 3.0.4, 3.3.0, 3.2.1, 2.9.3, 3.1.3
>
> Attachments: HADOOP-15950.001.patch, HADOOP-15950.002.patch, 
> HADOOP-15950.003.patch, HADOOP-15950.004.patch, HADOOP-15950.005.patch, 
> HADOOP-15950.006.patch, HADOOP-15950.007.patch, HADOOP-15950.008.patch, 
> HADOOP-15950.009.patch, HADOOP-15950.010.patch, HADOOP-15950.011.patch
>
>
> Currently, LdapGroupsMapping supports only a single ldap server url, this can 
> obviously cause issues if the ldap instance goes down. This JIRA attempts to 
> improve this by allowing users to list multiple ldap server urls, and 
> performing a failover if we detect any issues.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15950) Failover for LdapGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15950?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15950:

Attachment: HADOOP-15950.011.patch

> Failover for LdapGroupsMapping
> --
>
> Key: HADOOP-15950
> URL: https://issues.apache.org/jira/browse/HADOOP-15950
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Fix For: 2.10.0, 3.0.4, 3.3.0, 3.2.1, 2.9.3, 3.1.3
>
> Attachments: HADOOP-15950.001.patch, HADOOP-15950.002.patch, 
> HADOOP-15950.003.patch, HADOOP-15950.004.patch, HADOOP-15950.005.patch, 
> HADOOP-15950.006.patch, HADOOP-15950.007.patch, HADOOP-15950.008.patch, 
> HADOOP-15950.009.patch, HADOOP-15950.010.patch, HADOOP-15950.011.patch
>
>
> Currently, LdapGroupsMapping supports only a single ldap server url, this can 
> obviously cause issues if the ldap instance goes down. This JIRA attempts to 
> improve this by allowing users to list multiple ldap server urls, and 
> performing a failover if we detect any issues.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15950) Failover for LdapGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15950?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15950:

Attachment: HADOOP-15950.010.patch

> Failover for LdapGroupsMapping
> --
>
> Key: HADOOP-15950
> URL: https://issues.apache.org/jira/browse/HADOOP-15950
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15950.001.patch, HADOOP-15950.002.patch, 
> HADOOP-15950.003.patch, HADOOP-15950.004.patch, HADOOP-15950.005.patch, 
> HADOOP-15950.006.patch, HADOOP-15950.007.patch, HADOOP-15950.008.patch, 
> HADOOP-15950.009.patch, HADOOP-15950.010.patch
>
>
> Currently, LdapGroupsMapping supports only a single ldap server url, this can 
> obviously cause issues if the ldap instance goes down. This JIRA attempts to 
> improve this by allowing users to list multiple ldap server urls, and 
> performing a failover if we detect any issues.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15950) Failover for LdapGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15950?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15950:

Attachment: HADOOP-15950.009.patch

> Failover for LdapGroupsMapping
> --
>
> Key: HADOOP-15950
> URL: https://issues.apache.org/jira/browse/HADOOP-15950
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15950.001.patch, HADOOP-15950.002.patch, 
> HADOOP-15950.003.patch, HADOOP-15950.004.patch, HADOOP-15950.005.patch, 
> HADOOP-15950.006.patch, HADOOP-15950.007.patch, HADOOP-15950.008.patch, 
> HADOOP-15950.009.patch
>
>
> Currently, LdapGroupsMapping supports only a single ldap server url, this can 
> obviously cause issues if the ldap instance goes down. This JIRA attempts to 
> improve this by allowing users to list multiple ldap server urls, and 
> performing a failover if we detect any issues.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-15950) Failover for LdapGroupsMapping

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16705372#comment-16705372
 ] 

Lukas Majercak commented on HADOOP-15950:
-

Thanks [~jojochuang], I added currentLdapUrl to the log message.

> Failover for LdapGroupsMapping
> --
>
> Key: HADOOP-15950
> URL: https://issues.apache.org/jira/browse/HADOOP-15950
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15950.001.patch, HADOOP-15950.002.patch, 
> HADOOP-15950.003.patch, HADOOP-15950.004.patch, HADOOP-15950.005.patch, 
> HADOOP-15950.006.patch, HADOOP-15950.007.patch, HADOOP-15950.008.patch, 
> HADOOP-15950.009.patch
>
>
> Currently, LdapGroupsMapping supports only a single ldap server url, this can 
> obviously cause issues if the ldap instance goes down. This JIRA attempts to 
> improve this by allowing users to list multiple ldap server urls, and 
> performing a failover if we detect any issues.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15950) Failover for LdapGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15950?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15950:

Attachment: HADOOP-15950.008.patch

> Failover for LdapGroupsMapping
> --
>
> Key: HADOOP-15950
> URL: https://issues.apache.org/jira/browse/HADOOP-15950
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15950.001.patch, HADOOP-15950.002.patch, 
> HADOOP-15950.003.patch, HADOOP-15950.004.patch, HADOOP-15950.005.patch, 
> HADOOP-15950.006.patch, HADOOP-15950.007.patch, HADOOP-15950.008.patch
>
>
> Currently, LdapGroupsMapping supports only a single ldap server url, this can 
> obviously cause issues if the ldap instance goes down. This JIRA attempts to 
> improve this by allowing users to list multiple ldap server urls, and 
> performing a failover if we detect any issues.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15950) Failover for LdapGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15950?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15950:

Attachment: HADOOP-15950.007.patch

> Failover for LdapGroupsMapping
> --
>
> Key: HADOOP-15950
> URL: https://issues.apache.org/jira/browse/HADOOP-15950
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15950.001.patch, HADOOP-15950.002.patch, 
> HADOOP-15950.003.patch, HADOOP-15950.004.patch, HADOOP-15950.005.patch, 
> HADOOP-15950.006.patch, HADOOP-15950.007.patch
>
>
> Currently, LdapGroupsMapping supports only a single ldap server url, this can 
> obviously cause issues if the ldap instance goes down. This JIRA attempts to 
> improve this by allowing users to list multiple ldap server urls, and 
> performing a failover if we detect any issues.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-15950) Failover for LdapGroupsMapping

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16705129#comment-16705129
 ] 

Lukas Majercak commented on HADOOP-15950:
-

Thanks [~elgoiri]. Added patch 007 with these changes.

> Failover for LdapGroupsMapping
> --
>
> Key: HADOOP-15950
> URL: https://issues.apache.org/jira/browse/HADOOP-15950
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15950.001.patch, HADOOP-15950.002.patch, 
> HADOOP-15950.003.patch, HADOOP-15950.004.patch, HADOOP-15950.005.patch, 
> HADOOP-15950.006.patch, HADOOP-15950.007.patch
>
>
> Currently, LdapGroupsMapping supports only a single ldap server url, this can 
> obviously cause issues if the ldap instance goes down. This JIRA attempts to 
> improve this by allowing users to list multiple ldap server urls, and 
> performing a failover if we detect any issues.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15950) Failover for LdapGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15950?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15950:

Attachment: HADOOP-15950.006.patch

> Failover for LdapGroupsMapping
> --
>
> Key: HADOOP-15950
> URL: https://issues.apache.org/jira/browse/HADOOP-15950
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15950.001.patch, HADOOP-15950.002.patch, 
> HADOOP-15950.003.patch, HADOOP-15950.004.patch, HADOOP-15950.005.patch, 
> HADOOP-15950.006.patch
>
>
> Currently, LdapGroupsMapping supports only a single ldap server url, this can 
> obviously cause issues if the ldap instance goes down. This JIRA attempts to 
> improve this by allowing users to list multiple ldap server urls, and 
> performing a failover if we detect any issues.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-15950) Failover for LdapGroupsMapping

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16704104#comment-16704104
 ] 

Lukas Majercak commented on HADOOP-15950:
-

Added patch006 with changes to GroupsMapping.md and core-default.xml. Could you 
review this [~jojochuang]? Thanks!

> Failover for LdapGroupsMapping
> --
>
> Key: HADOOP-15950
> URL: https://issues.apache.org/jira/browse/HADOOP-15950
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15950.001.patch, HADOOP-15950.002.patch, 
> HADOOP-15950.003.patch, HADOOP-15950.004.patch, HADOOP-15950.005.patch, 
> HADOOP-15950.006.patch
>
>
> Currently, LdapGroupsMapping supports only a single ldap server url, this can 
> obviously cause issues if the ldap instance goes down. This JIRA attempts to 
> improve this by allowing users to list multiple ldap server urls, and 
> performing a failover if we detect any issues.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-15950) Failover for LdapGroupsMapping

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16702485#comment-16702485
 ] 

Lukas Majercak commented on HADOOP-15950:
-

Thanks [~elgoiri] and [~jojochuang] for looking into this. I added patch005 to 
address Inigo's comments. For the documentation, I'm aware of this, expect a 
patch soon.

> Failover for LdapGroupsMapping
> --
>
> Key: HADOOP-15950
> URL: https://issues.apache.org/jira/browse/HADOOP-15950
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15950.001.patch, HADOOP-15950.002.patch, 
> HADOOP-15950.003.patch, HADOOP-15950.004.patch, HADOOP-15950.005.patch
>
>
> Currently, LdapGroupsMapping supports only a single ldap server url, this can 
> obviously cause issues if the ldap instance goes down. This JIRA attempts to 
> improve this by allowing users to list multiple ldap server urls, and 
> performing a failover if we detect any issues.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15950) Failover for LdapGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15950?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15950:

Attachment: HADOOP-15950.005.patch

> Failover for LdapGroupsMapping
> --
>
> Key: HADOOP-15950
> URL: https://issues.apache.org/jira/browse/HADOOP-15950
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15950.001.patch, HADOOP-15950.002.patch, 
> HADOOP-15950.003.patch, HADOOP-15950.004.patch, HADOOP-15950.005.patch
>
>
> Currently, LdapGroupsMapping supports only a single ldap server url, this can 
> obviously cause issues if the ldap instance goes down. This JIRA attempts to 
> improve this by allowing users to list multiple ldap server urls, and 
> performing a failover if we detect any issues.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15950) Failover for LdapGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15950?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15950:

Attachment: HADOOP-15950.004.patch

> Failover for LdapGroupsMapping
> --
>
> Key: HADOOP-15950
> URL: https://issues.apache.org/jira/browse/HADOOP-15950
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15950.001.patch, HADOOP-15950.002.patch, 
> HADOOP-15950.003.patch, HADOOP-15950.004.patch
>
>
> Currently, LdapGroupsMapping supports only a single ldap server url, this can 
> obviously cause issues if the ldap instance goes down. This JIRA attempts to 
> improve this by allowing users to list multiple ldap server urls, and 
> performing a failover if we detect any issues.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-15950) Failover for LdapGroupsMapping

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16699751#comment-16699751
 ] 

Lukas Majercak commented on HADOOP-15950:
-

Patch 004 to fix the unit test + checkstyle.

> Failover for LdapGroupsMapping
> --
>
> Key: HADOOP-15950
> URL: https://issues.apache.org/jira/browse/HADOOP-15950
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15950.001.patch, HADOOP-15950.002.patch, 
> HADOOP-15950.003.patch, HADOOP-15950.004.patch
>
>
> Currently, LdapGroupsMapping supports only a single ldap server url, this can 
> obviously cause issues if the ldap instance goes down. This JIRA attempts to 
> improve this by allowing users to list multiple ldap server urls, and 
> performing a failover if we detect any issues.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15950) Failover for LdapGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15950?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15950:

Attachment: HADOOP-15950.003.patch

> Failover for LdapGroupsMapping
> --
>
> Key: HADOOP-15950
> URL: https://issues.apache.org/jira/browse/HADOOP-15950
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15950.001.patch, HADOOP-15950.002.patch, 
> HADOOP-15950.003.patch
>
>
> Currently, LdapGroupsMapping supports only a single ldap server url, this can 
> obviously cause issues if the ldap instance goes down. This JIRA attempts to 
> improve this by allowing users to list multiple ldap server urls, and 
> performing a failover if we detect any issues.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-15950) Failover for LdapGroupsMapping

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16699663#comment-16699663
 ] 

Lukas Majercak commented on HADOOP-15950:
-

+ [~liuml07], [~cnauroth], [~jojochuang], [~shwethags], [~jnpandey]. I've seen 
you guys contributed to this part of the codebase, anyone available to 
review/provide feedback? Thanks!

> Failover for LdapGroupsMapping
> --
>
> Key: HADOOP-15950
> URL: https://issues.apache.org/jira/browse/HADOOP-15950
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15950.001.patch, HADOOP-15950.002.patch, 
> HADOOP-15950.003.patch
>
>
> Currently, LdapGroupsMapping supports only a single ldap server url, this can 
> obviously cause issues if the ldap instance goes down. This JIRA attempts to 
> improve this by allowing users to list multiple ldap server urls, and 
> performing a failover if we detect any issues.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15951) LdapGroupsMapping should distinguish between retryable/nonretryable LDAP exceptions

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15951?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15951:

Description: 
Currently, LdapGroupsMapping.doGetGroups catches a very generic NamingException 
and retries no matter what the actual root cause is. In a lot of cases, for 
example when the actual exception is NameNotFoundException, retrying will be 
pointless. 

The proposal is to distinguish between retryable (e.g. CommunicationException) 
and non-retryable LDAP exceptions (such as InvalidAttributesException).

> LdapGroupsMapping should distinguish between retryable/nonretryable LDAP 
> exceptions
> ---
>
> Key: HADOOP-15951
> URL: https://issues.apache.org/jira/browse/HADOOP-15951
> Project: Hadoop Common
>  Issue Type: Improvement
>Reporter: Lukas Majercak
>Priority: Major
>
> Currently, LdapGroupsMapping.doGetGroups catches a very generic 
> NamingException and retries no matter what the actual root cause is. In a lot 
> of cases, for example when the actual exception is NameNotFoundException, 
> retrying will be pointless. 
> The proposal is to distinguish between retryable (e.g. 
> CommunicationException) and non-retryable LDAP exceptions (such as 
> InvalidAttributesException).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-15950) Failover for LdapGroupsMapping

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16699658#comment-16699658
 ] 

Lukas Majercak commented on HADOOP-15950:
-

Will add documentation for the new configurations next. Would appreciate 
feedback on this so far.

> Failover for LdapGroupsMapping
> --
>
> Key: HADOOP-15950
> URL: https://issues.apache.org/jira/browse/HADOOP-15950
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15950.001.patch, HADOOP-15950.002.patch, 
> HADOOP-15950.003.patch
>
>
> Currently, LdapGroupsMapping supports only a single ldap server url, this can 
> obviously cause issues if the ldap instance goes down. This JIRA attempts to 
> improve this by allowing users to list multiple ldap server urls, and 
> performing a failover if we detect any issues.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-15950) Failover for LdapGroupsMapping

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16699656#comment-16699656
 ] 

Lukas Majercak commented on HADOOP-15950:
-

The patch also includes a bunch of cleanup in the code (exceptions that are not 
thrown etc). I thought about making a separate JIRA for this, but then thought 
that would just create problems when moving these changes across branches.

> Failover for LdapGroupsMapping
> --
>
> Key: HADOOP-15950
> URL: https://issues.apache.org/jira/browse/HADOOP-15950
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15950.001.patch, HADOOP-15950.002.patch, 
> HADOOP-15950.003.patch
>
>
> Currently, LdapGroupsMapping supports only a single ldap server url, this can 
> obviously cause issues if the ldap instance goes down. This JIRA attempts to 
> improve this by allowing users to list multiple ldap server urls, and 
> performing a failover if we detect any issues.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15950) Failover for LdapGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15950?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15950:

Attachment: HADOOP-15950.002.patch

> Failover for LdapGroupsMapping
> --
>
> Key: HADOOP-15950
> URL: https://issues.apache.org/jira/browse/HADOOP-15950
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15950.001.patch, HADOOP-15950.002.patch
>
>
> Currently, LdapGroupsMapping supports only a single ldap server url, this can 
> obviously cause issues if the ldap instance goes down. This JIRA attempts to 
> improve this by allowing users to list multiple ldap server urls, and 
> performing a failover if we detect any issues.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-15950) Failover for LdapGroupsMapping

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16699654#comment-16699654
 ] 

Lukas Majercak commented on HADOOP-15950:
-

Added patch003 to refactor LdapGroupsMapping.ldapUrls member variable. (removed 
reference to the list and kept the iterator only).

> Failover for LdapGroupsMapping
> --
>
> Key: HADOOP-15950
> URL: https://issues.apache.org/jira/browse/HADOOP-15950
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15950.001.patch, HADOOP-15950.002.patch, 
> HADOOP-15950.003.patch
>
>
> Currently, LdapGroupsMapping supports only a single ldap server url, this can 
> obviously cause issues if the ldap instance goes down. This JIRA attempts to 
> improve this by allowing users to list multiple ldap server urls, and 
> performing a failover if we detect any issues.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-15950) Failover for LdapGroupsMapping

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16699650#comment-16699650
 ] 

Lukas Majercak commented on HADOOP-15950:
-

Added patch002 to rename "retry" to "attempt", which makes things clearer imho.

> Failover for LdapGroupsMapping
> --
>
> Key: HADOOP-15950
> URL: https://issues.apache.org/jira/browse/HADOOP-15950
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15950.001.patch, HADOOP-15950.002.patch
>
>
> Currently, LdapGroupsMapping supports only a single ldap server url, this can 
> obviously cause issues if the ldap instance goes down. This JIRA attempts to 
> improve this by allowing users to list multiple ldap server urls, and 
> performing a failover if we detect any issues.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Created] (HADOOP-15951) LdapGroupsMapping should distinguish between retryable/nonretryable LDAP exceptions

[Lukas Majercak (JIRA)]

Lukas Majercak created HADOOP-15951:
---

 Summary: LdapGroupsMapping should distinguish between 
retryable/nonretryable LDAP exceptions
 Key: HADOOP-15951
 URL: https://issues.apache.org/jira/browse/HADOOP-15951
 Project: Hadoop Common
  Issue Type: Improvement
Reporter: Lukas Majercak






--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-15950) Failover for LdapGroupsMapping

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16699643#comment-16699643
 ] 

Lukas Majercak commented on HADOOP-15950:
-

Added patch001 with the implementation. This still needs documentation to be 
updated.

> Failover for LdapGroupsMapping
> --
>
> Key: HADOOP-15950
> URL: https://issues.apache.org/jira/browse/HADOOP-15950
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15950.001.patch
>
>
> Currently, LdapGroupsMapping supports only a single ldap server url, this can 
> obviously cause issues if the ldap instance goes down. This JIRA attempts to 
> improve this by allowing users to list multiple ldap server urls, and 
> performing a failover if we detect any issues.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15950) Failover for LdapGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15950?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15950:

Status: Patch Available  (was: In Progress)

> Failover for LdapGroupsMapping
> --
>
> Key: HADOOP-15950
> URL: https://issues.apache.org/jira/browse/HADOOP-15950
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15950.001.patch
>
>
> Currently, LdapGroupsMapping supports only a single ldap server url, this can 
> obviously cause issues if the ldap instance goes down. This JIRA attempts to 
> improve this by allowing users to list multiple ldap server urls, and 
> performing a failover if we detect any issues.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Work started] (HADOOP-15950) Failover for LdapGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15950?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Work on HADOOP-15950 started by Lukas Majercak.
---
> Failover for LdapGroupsMapping
> --
>
> Key: HADOOP-15950
> URL: https://issues.apache.org/jira/browse/HADOOP-15950
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15950.001.patch
>
>
> Currently, LdapGroupsMapping supports only a single ldap server url, this can 
> obviously cause issues if the ldap instance goes down. This JIRA attempts to 
> improve this by allowing users to list multiple ldap server urls, and 
> performing a failover if we detect any issues.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15950) Failover for LdapGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15950?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15950:

Attachment: HADOOP-15950.001.patch

> Failover for LdapGroupsMapping
> --
>
> Key: HADOOP-15950
> URL: https://issues.apache.org/jira/browse/HADOOP-15950
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15950.001.patch
>
>
> Currently, LdapGroupsMapping supports only a single ldap server url, this can 
> obviously cause issues if the ldap instance goes down. This JIRA attempts to 
> improve this by allowing users to list multiple ldap server urls, and 
> performing a failover if we detect any issues.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15950) Failover for LdapGroupsMapping

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15950?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15950:

Description: Currently, LdapGroupsMapping supports only a single ldap 
server url, this can obviously cause issues if the ldap instance goes down. 
This JIRA attempts to improve this by allowing users to list multiple ldap 
server urls, and performing a failover if we detect any issues.

> Failover for LdapGroupsMapping
> --
>
> Key: HADOOP-15950
> URL: https://issues.apache.org/jira/browse/HADOOP-15950
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common, security
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
>
> Currently, LdapGroupsMapping supports only a single ldap server url, this can 
> obviously cause issues if the ldap instance goes down. This JIRA attempts to 
> improve this by allowing users to list multiple ldap server urls, and 
> performing a failover if we detect any issues.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Created] (HADOOP-15950) Failover for LdapGroupsMapping

[Lukas Majercak (JIRA)]

Lukas Majercak created HADOOP-15950:
---

 Summary: Failover for LdapGroupsMapping
 Key: HADOOP-15950
 URL: https://issues.apache.org/jira/browse/HADOOP-15950
 Project: Hadoop Common
  Issue Type: New Feature
  Components: common, security
Reporter: Lukas Majercak
Assignee: Lukas Majercak






--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-15684) triggerActiveLogRoll stuck on dead name node, when ConnectTimeoutException happens.

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15684?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16611060#comment-16611060
 ] 

Lukas Majercak commented on HADOOP-15684:
-

patch004 LGTM. Thanks [~trjianjianjiao]

> triggerActiveLogRoll stuck on dead name node, when ConnectTimeoutException 
> happens. 
> 
>
> Key: HADOOP-15684
> URL: https://issues.apache.org/jira/browse/HADOOP-15684
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: ha
>Affects Versions: 3.0.0-alpha1
>Reporter: Rong Tang
>Assignee: Rong Tang
>Priority: Critical
> Attachments: 
> 0001-RollEditLog-try-next-NN-when-exception-happens.patch, 
> HADOOP-15684.000.patch, HADOOP-15684.001.patch, HADOOP-15684.002.patch, 
> HADOOP-15684.003.patch, HADOOP-15684.004.patch, 
> hadoop--rollingUpgrade-SourceMachine001.log
>
>
> When name node call triggerActiveLogRoll, and the cachedActiveProxy is a dead 
> name node, it will throws a ConnectTimeoutException, expected behavior is to 
> try next NN, but current logic doesn't do so, instead, it keeps trying the 
> dead, mistakenly take it as active.
>  
> 2018-08-17 10:02:12,001 WARN [Edit log tailer] 
> org.apache.hadoop.hdfs.server.namenode.ha.EditLogTailer: Unable to trigger a 
> roll of the active NN
> org.apache.hadoop.net.ConnectTimeoutException: Call From 
> SourceMachine001/SourceIP to001 TargetMachine001.ap.gbl:8020 failed on socket 
> timeout exception: org.apache.hadoop.net.ConnectTimeoutException: 2 
> millis timeout 
> org.apache.hadoop.hdfs.server.namenode.ha.EditLogTailer$2.doWork(EditLogTailer.java:298)
>  
> C:\Users\rotang>ping TargetMachine001
> Pinging TargetMachine001[TargetIP001] with 32 bytes of data:
>  Request timed out.
>  Request timed out.
>  Request timed out.
>  Request timed out.
>  Attachment is a log file saying how it repeatedly retries a dead name node, 
> and a fix patch.
>  I replaced the actual machine name/ip as SourceMachine001/SourceIP001 and 
> TargetMachine001/TargetIP001.
>  
> How to Repro:
> In a good running NNs, take down the active NN (don't let it come back during 
> test), and then the stand by NNs will keep trying dead (old active) NN, 
> because it is the cached one.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-10219) ipc.Client.setupIOstreams() needs to check for ClientCache.stopClient requested shutdowns

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-10219?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16603448#comment-16603448
 ] 

Lukas Majercak commented on HADOOP-10219:
-

Thanks for spending time on this [~ste...@apache.org] and merging it. Added a 
branch-2 patch.

> ipc.Client.setupIOstreams() needs to check for ClientCache.stopClient 
> requested shutdowns 
> --
>
> Key: HADOOP-10219
> URL: https://issues.apache.org/jira/browse/HADOOP-10219
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: ipc
>Affects Versions: 2.2.0, 2.6.0
>Reporter: Steve Loughran
>Assignee: Kihwal Lee
>Priority: Major
> Fix For: 3.2.0, 3.1.2
>
> Attachments: HADOOP-10219-branch-2.000.patch, HADOOP-10219.patch, 
> HADOOP-10219.v1.patch, HADOOP-10219.v2.patch, HADOOP-10219.v3.patch, 
> HADOOP-10219.v4.patch
>
>
> When {{ClientCache.stopClient()}} is called to stop the IPC client, if the 
> client
>  is blocked spinning due to a connectivity problem, it does not exit until 
> the policy has timed out -so the stopClient() operation can hang for an 
> extended period of time.
> This can surface in the shutdown hook of FileSystem.cache.closeAll()
> Also, Client.stop() is for used in NN switch from Standby to Active, and can 
> therefore have very bad consequences and cause downtime.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-10219) ipc.Client.setupIOstreams() needs to check for ClientCache.stopClient requested shutdowns

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-10219?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-10219:

Attachment: HADOOP-10219-branch-2.000.patch

> ipc.Client.setupIOstreams() needs to check for ClientCache.stopClient 
> requested shutdowns 
> --
>
> Key: HADOOP-10219
> URL: https://issues.apache.org/jira/browse/HADOOP-10219
> Project: Hadoop Common
>  Issue Type: Bug
>  Components: ipc
>Affects Versions: 2.2.0, 2.6.0
>Reporter: Steve Loughran
>Assignee: Kihwal Lee
>Priority: Major
> Fix For: 3.2.0, 3.1.2
>
> Attachments: HADOOP-10219-branch-2.000.patch, HADOOP-10219.patch, 
> HADOOP-10219.v1.patch, HADOOP-10219.v2.patch, HADOOP-10219.v3.patch, 
> HADOOP-10219.v4.patch
>
>
> When {{ClientCache.stopClient()}} is called to stop the IPC client, if the 
> client
>  is blocked spinning due to a connectivity problem, it does not exit until 
> the policy has timed out -so the stopClient() operation can hang for an 
> extended period of time.
> This can surface in the shutdown hook of FileSystem.cache.closeAll()
> Also, Client.stop() is for used in NN switch from Standby to Active, and can 
> therefore have very bad consequences and cause downtime.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-15707) Add IsActiveServlet to be used for Load Balancers

[Lukas Majercak (JIRA)]

 [ 
https://issues.apache.org/jira/browse/HADOOP-15707?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukas Majercak updated HADOOP-15707:

Attachment: HADOOP-15707.004.patch

> Add IsActiveServlet to be used for Load Balancers
> -
>
> Key: HADOOP-15707
> URL: https://issues.apache.org/jira/browse/HADOOP-15707
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15707.000.patch, HADOOP-15707.001.patch, 
> HADOOP-15707.002.patch, HADOOP-15707.003.patch, HADOOP-15707.004.patch
>
>
> Hadoop has a few services with HA setups and it is common to set them behind 
> Load Balancers.
> We should add a way for the Load Balancers to understand what should be the 
> UI to show.
> For example, the standby RM just redirects the requests to the active RM.
> However, if both RMs are behind a Load Balancer the IP might not be reachable.
> Most Load balancers have probes to check if a server reports HTTP code 200:
> * 
> [Azure|https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview]
> * 
> [AWS|https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-healthchecks.html]
> Components in Hadoop (e.g., NN, RM, Router,...) should have a unified way to 
> report if they are active.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Commented] (HADOOP-15707) Add IsActiveServlet to be used for Load Balancers

[Lukas Majercak (JIRA)]

[ 
https://issues.apache.org/jira/browse/HADOOP-15707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16603440#comment-16603440
 ] 

Lukas Majercak commented on HADOOP-15707:
-

Patch004 to fix checkstyle

> Add IsActiveServlet to be used for Load Balancers
> -
>
> Key: HADOOP-15707
> URL: https://issues.apache.org/jira/browse/HADOOP-15707
> Project: Hadoop Common
>  Issue Type: New Feature
>  Components: common
>Reporter: Lukas Majercak
>Assignee: Lukas Majercak
>Priority: Major
> Attachments: HADOOP-15707.000.patch, HADOOP-15707.001.patch, 
> HADOOP-15707.002.patch, HADOOP-15707.003.patch, HADOOP-15707.004.patch
>
>
> Hadoop has a few services with HA setups and it is common to set them behind 
> Load Balancers.
> We should add a way for the Load Balancers to understand what should be the 
> UI to show.
> For example, the standby RM just redirects the requests to the active RM.
> However, if both RMs are behind a Load Balancer the IP might not be reachable.
> Most Load balancers have probes to check if a server reports HTTP code 200:
> * 
> [Azure|https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview]
> * 
> [AWS|https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-healthchecks.html]
> Components in Hadoop (e.g., NN, RM, Router,...) should have a unified way to 
> report if they are active.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org