You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hive.apache.org by "Illya Yalovyy (JIRA)" <ji...@apache.org> on 2016/10/26 20:17:58 UTC

[jira] [Created] (HIVE-15076) Improve scalability of LDAP authentication provider group filter

Illya Yalovyy created HIVE-15076:
------------------------------------

             Summary: Improve scalability of LDAP authentication provider group filter
                 Key: HIVE-15076
                 URL: https://issues.apache.org/jira/browse/HIVE-15076
             Project: Hive
          Issue Type: Improvement
          Components: Authentication
    Affects Versions: 2.1.0
            Reporter: Illya Yalovyy
            Assignee: Illya Yalovyy


Current implementation uses following algorithm:
#   For a given user find all groups that user is a member of. (A list of LDAP groups is constructed as a result of that request)
#  Match this list of groups with provided group filter.
 
Time/Memory complexity of this approach is O(N) on client side, where N – is a number of groups the user has membership in. On a large directory (800+ groups per user) we can observe up to 2x performance degradation and failures because of size of LDAP response (LDAP: error code 4 - Sizelimit Exceeded).
 
Some Directory Services (Microsoft Active Directory for instance) provide a virtual attribute for User Object that contains a list of groups that user belongs to. This attribute can be used to quickly determine whether this user passes or fails the group filter.   



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)