You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/09/01 14:41:00 UTC
[jira] [Commented] (HADOOP-18388) Allow dynamic groupSearchFilter in LdapGroupsMapping
[ https://issues.apache.org/jira/browse/HADOOP-18388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17599003#comment-17599003 ]
ASF GitHub Bot commented on HADOOP-18388:
-----------------------------------------
lmccay commented on code in PR #4798:
URL: https://github.com/apache/hadoop/pull/4798#discussion_r960739138
##########
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java:
##########
@@ -437,8 +443,14 @@ Set<String> lookupGroup(SearchResult result, DirContext c,
Set<String> groupDNs = new HashSet<>();
NamingEnumeration<SearchResult> groupResults;
- // perform the second LDAP query
- if (isPosix) {
+
+ String[] resolved = resolveCustomGroupFilterArgs(result);
+ // If custom group filter argument is supplied, use that!!!
+ if (resolved != null) {
Review Comment:
Is it not the case that this condition is a subset of the non-posix condition check? I think that we should only be looking for customGroupFilterArgs if it is non-posix not before the check of isPosix. Am I missing something that makes this the appropriate place for this?
##########
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestLdapGroupsMapping.java:
##########
@@ -120,6 +124,50 @@ public void testGetGroupsWithDefaultBaseDN() throws Exception {
doTestGetGroupsWithBaseDN(conf, baseDN.trim(), baseDN.trim());
}
+ @Test
+ public void testGetGroupsWithDynamicGroupFilter() throws Exception {
+ // Set basic mock stuff.
+ Configuration conf = getBaseConf(TEST_LDAP_URL);
+ String baseDN = "dc=xxx,dc=com";
+ conf.set(LdapGroupsMapping.BASE_DN_KEY, baseDN);
+ Attributes attributes = getAttributes();
+
+ // Set the groupFilter attributed to take the csv.
+ Attribute groupFilterAttr = mock(Attribute.class);
+ when(groupFilterAttr.get()).thenReturn("userDN,userName");
+ when(attributes.get(eq("groupfilter"))).thenReturn(groupFilterAttr);
+
+ // Set the value for userName attribute that is to be used as part of the
+ // group filter at argument 1.
+ final String userName = "some_user";
+ Attribute userNameAttr = mock(Attribute.class);
+ when(userNameAttr.get()).thenReturn(userName);
+ when(attributes.get(eq("userName"))).thenReturn(userNameAttr);
+
+ // Set the dynamic group search filter.
+ final String groupSearchFilter =
+ "(|(memberUid={0})(uname={1}))" + "(objectClass=group)";
+ conf.set(LdapGroupsMapping.GROUP_SEARCH_FILTER_KEY, groupSearchFilter);
+
+ final LdapGroupsMapping groupsMapping = getGroupsMapping();
+ groupsMapping.setConf(conf);
+
+ // The group search filter should be resolved and should be passed as the
+ // bellow.
Review Comment:
sic. 'below'
> Allow dynamic groupSearchFilter in LdapGroupsMapping
> ----------------------------------------------------
>
> Key: HADOOP-18388
> URL: https://issues.apache.org/jira/browse/HADOOP-18388
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Ayush Saxena
> Assignee: Ayush Saxena
> Priority: Major
> Labels: pull-request-available
> Attachments: dynamic-filter-idea.patch
>
>
> As of now the lookupGroup() method doesn't allow to have placeholders in
> groupSearchFilter, so that can not be dynamically adjusted.
> If we have placeholders for groupSearchFilter like: (&(|(XYZ=\{0})(ABC=\{1}))(objectClass=posixGroup))
> This fails here:
>
> {code:java}
> groupResults =
> c.search(groupbaseDN,
> "(&" + groupSearchFilter + "(" + groupMemberAttr + "={0}))",
> new Object[]{userDn},
> SEARCH_CONTROLS); {code}
> With
>
>
> {noformat}
> javax.naming.directory.InvalidSearchFilterException: number exceeds argument list: 1; remaining name {noformat}
>
> >>Dropped off or changed the details above which I thought won't be safe to disclose.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org