You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "Naveen Gangam (Jira)" <ji...@apache.org> on 2022/09/20 15:25:00 UTC
[jira] [Updated] (HIVE-26502) Improve LDAP auth to support include generic user filters
[ https://issues.apache.org/jira/browse/HIVE-26502?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Naveen Gangam updated HIVE-26502:
---------------------------------
Description:
Currently, Hive's ldap userfiltering is based on configuring a set of patterns in which wild cards are replaced by usernames and searched for. While this model supports advanced filtering options where a corporate ldap can have users in different orgs and trees, it does not quite support generic ldap searches like this.
(&(uid={0})(objectClass=person))
To be able to support this without making changes to the semantics of existing configuration params, and to be backward compatible, we can enhance the existing custom query functionality to support this.
For with a configuration like this, we should be able to perform a search for user who uid matches the username being authenticated.
{noformat}
<property>
<name>hive.server2.authentication.ldap.baseDN</name>
<value>dc=apache,dc=org</value>
</property>
<property>
<name>hive.server2.authentication.ldap.customLDAPQuery</name>
<value>(&(uid={0})(objectClass=person))</value>
</property>
{noformat}
was:
Currently, Hive's ldap userfiltering is based on configuring a set of patterns in which wild cards are replaced by usernames and searched for. While this model supports advanced filtering options where a corporate ldap can have users in different orgs and trees, it does not quite support generic ldap searches like this.
(&(uid={0})(objectClass=person))
To be able to support this without making changes to the semantics of existing configuration params, and to be backward compatible, we can enhance the existing custom query functionality to support this.
For with a configuration like this, we should be able to perform a search for user who uid matches the username being authenticated.
<property>
<name>hive.server2.authentication.ldap.baseDN</name>
<value>dc=apache,dc=org</value>
</property>
<property>
<name>hive.server2.authentication.ldap.customLDAPQuery</name>
<value>(&(uid={0})(objectClass=person))</value>
</property>
> Improve LDAP auth to support include generic user filters
> ---------------------------------------------------------
>
> Key: HIVE-26502
> URL: https://issues.apache.org/jira/browse/HIVE-26502
> Project: Hive
> Issue Type: Improvement
> Components: HiveServer2
> Affects Versions: 4.0.0-alpha-1
> Reporter: Naveen Gangam
> Assignee: Naveen Gangam
> Priority: Major
>
> Currently, Hive's ldap userfiltering is based on configuring a set of patterns in which wild cards are replaced by usernames and searched for. While this model supports advanced filtering options where a corporate ldap can have users in different orgs and trees, it does not quite support generic ldap searches like this.
> (&(uid={0})(objectClass=person))
> To be able to support this without making changes to the semantics of existing configuration params, and to be backward compatible, we can enhance the existing custom query functionality to support this.
> For with a configuration like this, we should be able to perform a search for user who uid matches the username being authenticated.
> {noformat}
> <property>
> <name>hive.server2.authentication.ldap.baseDN</name>
> <value>dc=apache,dc=org</value>
> </property>
> <property>
> <name>hive.server2.authentication.ldap.customLDAPQuery</name>
> <value>(&(uid={0})(objectClass=person))</value>
> </property>
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)