You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/06/25 18:09:00 UTC
[jira] [Work logged] (HADOOP-18074) Partial/Incomplete groups list can be returned in LDAP groups lookup
[ https://issues.apache.org/jira/browse/HADOOP-18074?focusedWorklogId=784814&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-784814 ]
ASF GitHub Bot logged work on HADOOP-18074:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 25/Jun/22 18:08
Start Date: 25/Jun/22 18:08
Worklog Time Spent: 10m
Work Description: lmccay opened a new pull request, #4503:
URL: https://github.com/apache/hadoop/pull/4503
… groups lookup
### Description of PR
LdapGroupsMapping could return a partial list of group names due to encountering a NamingException while acquiring
the RDN for a DN. This was due to not clearing the partially built list which results in the secondary query not being
attempted. This PR clears the partially built list and forces the secondary query to be called.
### How was this patch tested?
Existing unit tests were run and a new unit test added to insure that the secondary query is indeed being called.
### For code changes:
- [X ] Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
- [ ] Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
- [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [ ] If applicable, have you updated the `LICENSE`, `LICENSE-binary`, `NOTICE-binary` files?
Issue Time Tracking
-------------------
Worklog Id: (was: 784814)
Remaining Estimate: 0h
Time Spent: 10m
> Partial/Incomplete groups list can be returned in LDAP groups lookup
> --------------------------------------------------------------------
>
> Key: HADOOP-18074
> URL: https://issues.apache.org/jira/browse/HADOOP-18074
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Philippe Lanoe
> Assignee: Larry McCay
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Hello,
> The
> {code:java}
> Set<String> doGetGroups(String user, int goUpHierarchy) {code}
> method in
> [https://github.com/apache/hadoop/blob/b27732c69b114f24358992a5a4d170bc94e2ceaf/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java#L476]
> Looks like having an issue if in the middle of the loop a *NamingException* is caught:
> The groups variable is not reset in the catch clause and therefore the fallback lookup cannot be executed (when goUpHierarchy==0 at least):
> ||
> {code:java}
> if (groups.isEmpty() || goUpHierarchy > 0) {
> groups = lookupGroup(result, c, goUpHierarchy);
> }
> {code}
>
> Consequence is that only a partial list of groups is returned, which is not correct.
> Following options could be used as solution:
> * Reset the group to an empty list in the catch clause, to trigger the fallback query.
> * Add an option flag to enable ignoring groups with Naming Exception (since they are not groups most probably)
> Independently, would any issue also occur (and therefore full list cannot be returned) in the first lookup as well as in the fallback query, the method should/could(with option flag) throw an Exception, because in some scenario accuracy is important.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org