You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Larry McCay (Jira)" <ji...@apache.org> on 2022/06/21 21:36:00 UTC

[jira] [Assigned] (HADOOP-18074) Partial/Incomplete groups list can be returned in LDAP groups lookup

     [ https://issues.apache.org/jira/browse/HADOOP-18074?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Larry McCay reassigned HADOOP-18074:
------------------------------------

    Target Version/s: 3.3.4
            Assignee: Larry McCay

> Partial/Incomplete groups list can be returned in LDAP groups lookup
> --------------------------------------------------------------------
>
>                 Key: HADOOP-18074
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18074
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>            Reporter: Philippe Lanoe
>            Assignee: Larry McCay
>            Priority: Major
>
> Hello,
> The  
> {code:java}
> Set<String> doGetGroups(String user, int goUpHierarchy) {code}
> method in
> [https://github.com/apache/hadoop/blob/b27732c69b114f24358992a5a4d170bc94e2ceaf/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java#L476]
> Looks like having an issue if in the middle of the loop a *NamingException* is caught:
> The groups variable is not reset in the catch clause and therefore the fallback lookup cannot be executed (when goUpHierarchy==0 at least):
> ||
> {code:java}
> if (groups.isEmpty() || goUpHierarchy > 0) {        
>     groups = lookupGroup(result, c, goUpHierarchy);
> }
> {code}
>  
> Consequence is that only a partial list of groups is returned, which is not correct.
> Following options could be used as solution:
>  * Reset the group to an empty list in the catch clause, to trigger the fallback query.
>  * Add an option flag to enable ignoring groups with Naming Exception (since they are not groups most probably)
> Independently, would any issue also occur (and therefore full list cannot be returned) in the first lookup as well as in the fallback query, the method should/could(with option flag) throw an Exception, because in some scenario accuracy is important.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org