You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hive.apache.org by "Illya Yalovyy (JIRA)" <ji...@apache.org> on 2016/10/26 20:17:58 UTC
[jira] [Created] (HIVE-15076) Improve scalability of LDAP
authentication provider group filter
Illya Yalovyy created HIVE-15076:
------------------------------------
Summary: Improve scalability of LDAP authentication provider group filter
Key: HIVE-15076
URL: https://issues.apache.org/jira/browse/HIVE-15076
Project: Hive
Issue Type: Improvement
Components: Authentication
Affects Versions: 2.1.0
Reporter: Illya Yalovyy
Assignee: Illya Yalovyy
Current implementation uses following algorithm:
# For a given user find all groups that user is a member of. (A list of LDAP groups is constructed as a result of that request)
# Match this list of groups with provided group filter.
Time/Memory complexity of this approach is O(N) on client side, where N – is a number of groups the user has membership in. On a large directory (800+ groups per user) we can observe up to 2x performance degradation and failures because of size of LDAP response (LDAP: error code 4 - Sizelimit Exceeded).
Some Directory Services (Microsoft Active Directory for instance) provide a virtual attribute for User Object that contains a list of groups that user belongs to. This attribute can be used to quickly determine whether this user passes or fails the group filter.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)