You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by "Ryan LaMothe (JIRA)" <ji...@apache.org> on 2017/04/27 16:51:04 UTC

[jira] [Commented] (KNOX-461) Leverage Directory Computed Attribute for User Group Discovery

    [ https://issues.apache.org/jira/browse/KNOX-461?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15987004#comment-15987004 ] 

Ryan LaMothe commented on KNOX-461:
-----------------------------------

Currently, KNOX is the only Hadoop component that we use which does not support Active Directory virtual attribute reverse lookups, which is forcing us to create complex work-arounds to try and use KNOX in our environment. In our case, we have hundreds of thousands of groups (e.g. RBAC) in Active Directory, so all of our enterprise software and tooling looks up Users first, then searches the User's 'memberOf' list and performs a reverse lookup of Groups. This works well because each User is typically only a 'memberOf' a few tens or hundreds of groups. It is also an extremely fast lookup, compared to group lookups, which is a primary reason Microsoft implemented the feature. By having KNOX perform group lookups first, then searching each group's 'member' list for Users, KNOX fails to scale or perform and this feature needs to be implemented ASAP in KNOX.

> Leverage Directory Computed  Attribute for User Group Discovery
> ---------------------------------------------------------------
>
>                 Key: KNOX-461
>                 URL: https://issues.apache.org/jira/browse/KNOX-461
>             Project: Apache Knox
>          Issue Type: Improvement
>            Reporter: Dilli Arumugam
>            Priority: Critical
>             Fix For: Future
>
>
> Leverage Directory Computed  Attribute for User Group Discovery
> We should use computed attribute memberof supported by Active Driectory to discover groups of the authenticated user. This would significantly boost performance as compared we computing groups using group search.
> OpenLDAP also could be configured to return computed groups.
> However, OpenLDAP would return this attribute as memberof.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)