You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2020/04/01 03:06:00 UTC

[jira] [Commented] (IMPALA-2563) Support LDAP search bind operations

    [ https://issues.apache.org/jira/browse/IMPALA-2563?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17072339#comment-17072339 ] 

ASF subversion and git services commented on IMPALA-2563:
---------------------------------------------------------

Commit 4e6780ebf1dfa90aea01b3e35d3dc9ceb100eaee in impala's branch refs/heads/master from Thomas Tauber-Marshall
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=4e6780e ]

IMPALA-2563: Support LDAP search bind operations

This patch adds a number of new options for controlling LDAP
by restricting authentication to particular users and/or members of
particular groups:
--ldap_group_filter: comma separated list of authorized groups
--ldap_user_filter: comma separated list of authorized users

There are also options to control how LDAP is searched when applying
these filters:
--ldap_group_dn_pattern
--ldap_group_membership_key
--ldap_group_membership_class

These options were modelled on equivalent options in Hive, see:
https://cwiki.apache.org/confluence/display/Hive/User+and+Group+Filter+Support+with+LDAP+Atn+Provider+in+HiveServer2
https://github.com/apache/hive/tree/master/service/src/java/org/apache/hive/service/auth/ldap

This patch also refactors LDAP related functionality into a utility
class, both to make authentication.cc more manageable and to
facilitate follow up work that will add LDAP authentication options
for the webserver.

Testing:
- Added a FE custom cluster test that sets --ldap_group_filter and
  --ldap_user_filter and verifies expected behavior.

Change-Id: I7502a96e9a3c16faa67c03ffac54df2bdebbca8c
Reviewed-on: http://gerrit.cloudera.org:8080/15570
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>


> Support LDAP search bind operations
> -----------------------------------
>
>                 Key: IMPALA-2563
>                 URL: https://issues.apache.org/jira/browse/IMPALA-2563
>             Project: IMPALA
>          Issue Type: Improvement
>          Components: Security
>    Affects Versions: Impala 2.2.4
>            Reporter: Mike Yoder
>            Assignee: Thomas Tauber-Marshall
>            Priority: Minor
>              Labels: security
>
> Today Impala supports a simple direct bind model. This improvement jira is to bring Impala's LDAP model to be in line with Hive's. Please see in particular https://issues.apache.org/jira/browse/HIVE-7193 and https://cwiki.apache.org/confluence/display/Hive/User+and+Group+Filter+Support+with+LDAP+Atn+Provider+in+HiveServer2.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org