You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Esther Kundin (JIRA)" <ji...@apache.org> on 2016/05/02 17:28:12 UTC
[jira] [Commented] (HADOOP-12291) Add support for nested groups in
LdapGroupsMapping
[ https://issues.apache.org/jira/browse/HADOOP-12291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15266783#comment-15266783 ]
Esther Kundin commented on HADOOP-12291:
----------------------------------------
Thank you for the comments. I am working on some of the fixes.
The thought behind leaving the option of using -1 was that some companies may have a deeply nested structure and do not mind the the cost of the lookups. We thought this would be the most flexible way of building the solution, and as the default is set appropriately, most people would not be impacted in any case. Do you feel strongly that the -1 option for infinite recursion should be removed?
For your point 2, The DIRECTORY_SEARCH_TIMEOUT is a timeout set for each LDAP query. We are not changing the semantics of the current code, as it currently does 2 calls - one for the user and one for the group - and each of those calls will have the full timeout set. We are raising the number of calls, but the semantics are still the same, with the timeout being on a per-call basis.
For your point 7, I do not think you can make less LDAP queries. You will always need at least one, in order to leave the original group lookup and the if check will take care of subsequent calls. I can add an extra check right at the start of goUpGroupHierarchy. This will prevent an extra query if the function is called incorrectly.
> Add support for nested groups in LdapGroupsMapping
> --------------------------------------------------
>
> Key: HADOOP-12291
> URL: https://issues.apache.org/jira/browse/HADOOP-12291
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 2.8.0
> Reporter: Gautam Gopalakrishnan
> Assignee: Esther Kundin
> Labels: features, patch
> Fix For: 2.8.0
>
> Attachments: HADOOP-12291.001.patch, HADOOP-12291.002.patch
>
>
> When using {{LdapGroupsMapping}} with Hadoop, nested groups are not supported. So for example if user {{jdoe}} is part of group A which is a member of group B, the group mapping currently returns only group A.
> Currently this facility is available with {{ShellBasedUnixGroupsMapping}} and SSSD (or similar tools) but would be good to have this feature as part of {{LdapGroupsMapping}} directly.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org