[jira] [Updated] (HADOOP-13105) Support timeouts in LDAP queries in LdapGroupsMapping.

2018-03-06 Thread Konstantin Shvachko (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HADOOP-13105?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Konstantin Shvachko updated HADOOP-13105:
-
Fix Version/s: 2.7.6

I just ported this to branch-2.7. Updating Fix Versions.
This required HADOOP-12472 for tests to pass.

> Support timeouts in LDAP queries in LdapGroupsMapping.
> --
>
> Key: HADOOP-13105
> URL: https://issues.apache.org/jira/browse/HADOOP-13105
> Project: Hadoop Common
>  Issue Type: Improvement
>  Components: security
>Reporter: Chris Nauroth
>Assignee: Mingliang Liu
>Priority: Major
> Fix For: 2.8.0, 3.0.0-alpha1, 2.7.6
>
> Attachments: HADOOP-13105.000.patch, HADOOP-13105.001.patch, 
> HADOOP-13105.002.patch, HADOOP-13105.003.patch, HADOOP-13105.004.patch
>
>
> {{LdapGroupsMapping}} currently does not set timeouts on the LDAP queries.  
> This can create a risk of a very long/infinite wait on a connection.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-13105) Support timeouts in LDAP queries in LdapGroupsMapping.

2016-08-18 Thread Mingliang Liu (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HADOOP-13105?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mingliang Liu updated HADOOP-13105:
---
Release Note: This patch adds two new config keys for supporting timeouts 
in LDAP query operations. The property 
"hadoop.security.group.mapping.ldap.connection.timeout.ms" is the connection 
timeout (in milliseconds), within which period if the LDAP provider doesn't 
establish a connection, it will abort the connect attempt. The property 
"hadoop.security.group.mapping.ldap.read.timeout.ms" is the read timeout (in 
milliseconds), within which period if the LDAP provider doesn't get a LDAP 
response, it will abort the read attempt.

Added release notes. Feel free to refine it. Thanks.

> Support timeouts in LDAP queries in LdapGroupsMapping.
> --
>
> Key: HADOOP-13105
> URL: https://issues.apache.org/jira/browse/HADOOP-13105
> Project: Hadoop Common
>  Issue Type: Improvement
>  Components: security
>Reporter: Chris Nauroth
>Assignee: Mingliang Liu
> Fix For: 2.8.0
>
> Attachments: HADOOP-13105.000.patch, HADOOP-13105.001.patch, 
> HADOOP-13105.002.patch, HADOOP-13105.003.patch, HADOOP-13105.004.patch
>
>
> {{LdapGroupsMapping}} currently does not set timeouts on the LDAP queries.  
> This can create a risk of a very long/infinite wait on a connection.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-13105) Support timeouts in LDAP queries in LdapGroupsMapping.

2016-06-03 Thread Chris Nauroth (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HADOOP-13105?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Chris Nauroth updated HADOOP-13105:
---
   Resolution: Fixed
Fix Version/s: 2.8.0
   Status: Resolved  (was: Patch Available)

I have committed this to trunk, branch-2 and branch-2.8.  [~liuml07], thank you 
for the patch.  [~jojochuang], thank you for helping with code review.

> Support timeouts in LDAP queries in LdapGroupsMapping.
> --
>
> Key: HADOOP-13105
> URL: https://issues.apache.org/jira/browse/HADOOP-13105
> Project: Hadoop Common
>  Issue Type: Improvement
>  Components: security
>Reporter: Chris Nauroth
>Assignee: Mingliang Liu
> Fix For: 2.8.0
>
> Attachments: HADOOP-13105.000.patch, HADOOP-13105.001.patch, 
> HADOOP-13105.002.patch, HADOOP-13105.003.patch, HADOOP-13105.004.patch
>
>
> {{LdapGroupsMapping}} currently does not set timeouts on the LDAP queries.  
> This can create a risk of a very long/infinite wait on a connection.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-13105) Support timeouts in LDAP queries in LdapGroupsMapping.

2016-06-03 Thread Chris Nauroth (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HADOOP-13105?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Chris Nauroth updated HADOOP-13105:
---
Affects Version/s: (was: 3.0.0-alpha1)
 Target Version/s: 2.8.0
 Hadoop Flags: Reviewed

+1 for patch 004, pending pre-commit run.

> Support timeouts in LDAP queries in LdapGroupsMapping.
> --
>
> Key: HADOOP-13105
> URL: https://issues.apache.org/jira/browse/HADOOP-13105
> Project: Hadoop Common
>  Issue Type: Improvement
>  Components: security
>Reporter: Chris Nauroth
>Assignee: Mingliang Liu
> Attachments: HADOOP-13105.000.patch, HADOOP-13105.001.patch, 
> HADOOP-13105.002.patch, HADOOP-13105.003.patch, HADOOP-13105.004.patch
>
>
> {{LdapGroupsMapping}} currently does not set timeouts on the LDAP queries.  
> This can create a risk of a very long/infinite wait on a connection.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-13105) Support timeouts in LDAP queries in LdapGroupsMapping.

2016-06-03 Thread Mingliang Liu (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HADOOP-13105?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mingliang Liu updated HADOOP-13105:
---
Attachment: HADOOP-13105.004.patch

Thank you [~cnauroth] for your comment. Sorry I was not aware of the {{final}} 
variable problem when sharing with a nested thread in Java 7. I should have 
fixed the problem if I had the chance to build against {{branch-2}}. I was 
spoiled by the Java 8 and especially IntelliJ IDE.

The v4 patch simply added two "final" keyword to the {{finLatch}} varaible in 
the test. I tested the patch on both trunk (Java 8) and trunk (Java 7), and it 
looked good.

> Support timeouts in LDAP queries in LdapGroupsMapping.
> --
>
> Key: HADOOP-13105
> URL: https://issues.apache.org/jira/browse/HADOOP-13105
> Project: Hadoop Common
>  Issue Type: Improvement
>  Components: security
>Affects Versions: 3.0.0-alpha1
>Reporter: Chris Nauroth
>Assignee: Mingliang Liu
> Attachments: HADOOP-13105.000.patch, HADOOP-13105.001.patch, 
> HADOOP-13105.002.patch, HADOOP-13105.003.patch, HADOOP-13105.004.patch
>
>
> {{LdapGroupsMapping}} currently does not set timeouts on the LDAP queries.  
> This can create a risk of a very long/infinite wait on a connection.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-13105) Support timeouts in LDAP queries in LdapGroupsMapping.

2016-06-02 Thread Mingliang Liu (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HADOOP-13105?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mingliang Liu updated HADOOP-13105:
---
Attachment: HADOOP-13105.003.patch

Thanks for your review, [~cnauroth]. The v3 patch is to address your latest 
comments. Specially, I took away the lambdas in the v3 patch (the IntelliJ 
refactored it for me in the first place).

> Support timeouts in LDAP queries in LdapGroupsMapping.
> --
>
> Key: HADOOP-13105
> URL: https://issues.apache.org/jira/browse/HADOOP-13105
> Project: Hadoop Common
>  Issue Type: Improvement
>  Components: security
>Affects Versions: 3.0.0-alpha1
>Reporter: Chris Nauroth
>Assignee: Mingliang Liu
> Attachments: HADOOP-13105.000.patch, HADOOP-13105.001.patch, 
> HADOOP-13105.002.patch, HADOOP-13105.003.patch
>
>
> {{LdapGroupsMapping}} currently does not set timeouts on the LDAP queries.  
> This can create a risk of a very long/infinite wait on a connection.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-13105) Support timeouts in LDAP queries in LdapGroupsMapping.

2016-05-27 Thread Mingliang Liu (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HADOOP-13105?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mingliang Liu updated HADOOP-13105:
---
Affects Version/s: 3.0.0-alpha1

> Support timeouts in LDAP queries in LdapGroupsMapping.
> --
>
> Key: HADOOP-13105
> URL: https://issues.apache.org/jira/browse/HADOOP-13105
> Project: Hadoop Common
>  Issue Type: Improvement
>  Components: security
>Affects Versions: 3.0.0-alpha1
>Reporter: Chris Nauroth
>Assignee: Mingliang Liu
> Attachments: HADOOP-13105.000.patch, HADOOP-13105.001.patch, 
> HADOOP-13105.002.patch
>
>
> {{LdapGroupsMapping}} currently does not set timeouts on the LDAP queries.  
> This can create a risk of a very long/infinite wait on a connection.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-13105) Support timeouts in LDAP queries in LdapGroupsMapping.

2016-05-27 Thread Mingliang Liu (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HADOOP-13105?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mingliang Liu updated HADOOP-13105:
---
Attachment: HADOOP-13105.002.patch

The v2 patch fixes the checkstyle warnings.

> Support timeouts in LDAP queries in LdapGroupsMapping.
> --
>
> Key: HADOOP-13105
> URL: https://issues.apache.org/jira/browse/HADOOP-13105
> Project: Hadoop Common
>  Issue Type: Improvement
>  Components: security
>Reporter: Chris Nauroth
>Assignee: Mingliang Liu
> Attachments: HADOOP-13105.000.patch, HADOOP-13105.001.patch, 
> HADOOP-13105.002.patch
>
>
> {{LdapGroupsMapping}} currently does not set timeouts on the LDAP queries.  
> This can create a risk of a very long/infinite wait on a connection.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-13105) Support timeouts in LDAP queries in LdapGroupsMapping.

2016-05-23 Thread Mingliang Liu (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HADOOP-13105?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mingliang Liu updated HADOOP-13105:
---
Attachment: HADOOP-13105.001.patch

Thanks [~cnauroth] for the suggestion. I had a look at minikdc and find it's 
not straightforward to simply extend it. Actually I figured out a way similar 
to your last comment {{TestWebHdfsTimeouts}}. The only magic is 
{{AUTHENTICATE_SUCCESS_MSG}}. I don't like this hacking message but this is the 
best I can tell. The bright side is that, we're testing both connect and read 
timeout using a dummy server. As you stated, the JNDI documentation clearly 
spells out how to set both connection and read timeout. But still, in case the 
JNDI env variables are not working in upstream package, we'll find it out 
sooner than later.

As to exploring ApacheDS for testing the LDAP mapping code, I like the idea. 
Thanks for letting me know the in-progress [HADOOP-8145] work, [~jojochuang]. 
Actually I was expecting something alike before I checked out the 
{{TestLdapGroupsMapping}}. I was disappointed that we were just mocking the 
stuff.

However, as 1) the change will bring new dependencies (ApacheDS test module), 
2) heavy to use (I personally don't like the aspect-like annotations) 3) I 
don't know easy way to make the server delay for a specific period, I suggest 
we consolidate the effort of testing these features against a real LDAP server 
along with other test cases in [HADOOP-8145], clearly in a new class as what's 
you're doing.

> Support timeouts in LDAP queries in LdapGroupsMapping.
> --
>
> Key: HADOOP-13105
> URL: https://issues.apache.org/jira/browse/HADOOP-13105
> Project: Hadoop Common
>  Issue Type: Improvement
>  Components: security
>Reporter: Chris Nauroth
>Assignee: Mingliang Liu
> Attachments: HADOOP-13105.000.patch, HADOOP-13105.001.patch
>
>
> {{LdapGroupsMapping}} currently does not set timeouts on the LDAP queries.  
> This can create a risk of a very long/infinite wait on a connection.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-13105) Support timeouts in LDAP queries in LdapGroupsMapping.

2016-05-07 Thread Mingliang Liu (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HADOOP-13105?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mingliang Liu updated HADOOP-13105:
---
Status: Patch Available  (was: Open)

> Support timeouts in LDAP queries in LdapGroupsMapping.
> --
>
> Key: HADOOP-13105
> URL: https://issues.apache.org/jira/browse/HADOOP-13105
> Project: Hadoop Common
>  Issue Type: Improvement
>  Components: security
>Reporter: Chris Nauroth
>Assignee: Mingliang Liu
> Attachments: HADOOP-13105.000.patch
>
>
> {{LdapGroupsMapping}} currently does not set timeouts on the LDAP queries.  
> This can create a risk of a very long/infinite wait on a connection.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Updated] (HADOOP-13105) Support timeouts in LDAP queries in LdapGroupsMapping.

2016-05-07 Thread Mingliang Liu (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HADOOP-13105?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mingliang Liu updated HADOOP-13105:
---
Attachment: HADOOP-13105.000.patch

Hi [~cnauroth], thanks for reporting this.

# In the {{LdapGroupsMapping}}, we are also missing the 
{{com.sun.jndi.ldap.connect.timeout}} property for the env. I suppose this is 
orthogonal to the read timeouts. Should we address this as well?
# I had a look at the JNDI API documentation you kindly posted. I'm not sure I 
understand it correctly or the documentation is stale, but I was not able to 
reproduce the timed out exception using the 
[ReadTimeoutTest.java|https://docs.oracle.com/javase/tutorial/displayCode.html?code=https://docs.oracle.com/javase/tutorial/jndi/newstuff/examples/ReadTimeoutTest.java].
 If we only set the {{com.sun.jndi.ldap.read.timeout}} env, the {{new 
InitialDirContext(env)}} will be stuck at connection phase and the read (query) 
operation will never be really issued. The test is running forever. However, if 
I set the {{com.sun.jndi.ldap.connect.timeout}}, the {{LDAP response read timed 
out}} naming exception will be thrown as expected.
# That's said, to test the {{com.sun.jndi.ldap.read.timeout}} feature is not as 
easy as to test the connect timeout. I'm wondering if the mock/spy will really 
help us here.

See the v0 patch attached. I can make the property values configurable.

> Support timeouts in LDAP queries in LdapGroupsMapping.
> --
>
> Key: HADOOP-13105
> URL: https://issues.apache.org/jira/browse/HADOOP-13105
> Project: Hadoop Common
>  Issue Type: Improvement
>  Components: security
>Reporter: Chris Nauroth
>Assignee: Mingliang Liu
> Attachments: HADOOP-13105.000.patch
>
>
> {{LdapGroupsMapping}} currently does not set timeouts on the LDAP queries.  
> This can create a risk of a very long/infinite wait on a connection.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org