You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2023/05/03 15:41:00 UTC
[jira] [Work logged] (HIVE-27311) Improve LDAP auth to support generic search bind authentication
[ https://issues.apache.org/jira/browse/HIVE-27311?focusedWorklogId=860374&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-860374 ]
ASF GitHub Bot logged work on HIVE-27311:
-----------------------------------------
Author: ASF GitHub Bot
Created on: 03/May/23 15:40
Start Date: 03/May/23 15:40
Worklog Time Spent: 10m
Work Description: nrg4878 opened a new pull request, #4284:
URL: https://github.com/apache/hive/pull/4284
… Gangam)
### What changes were proposed in this pull request?
Support for generic LDAP search bind authentication with user and group filtering.
For user filtering, use these configurations
hive.server2.authentication.ldap.baseDN
hive.server2.authentication.ldap.userSearchFilter
For group filtering (in conjunction with the user filtering)
hive.server2.authentication.ldap.groupBaseDN
hive.server2.authentication.ldap.groupSearchFilter
For example:
user search filter: (&(uid={0})(objectClass=person))
baseDN: ou=Users,dc=apache,dc=org
group search filter: (&(|(memberUid={0})(memberUid={1}))(objectClass=posixGroup))
groupBaseDN: ou=Groups,dc=apache,dc=org
In this case, {0} in user filter is the username to be authenticated. user search is performed to find the userDN which then is substituted into the group search filter to perform a search. If the result set is non-empty, the user is assumed to have satisfied the criteria and the auth succeeds.
Group filter configuration is optional above. In such cases, only a user search is performed is success is based on finding the user.
### Why are the changes needed?
Enabling generic ldap configuration for Hive LDAP authentication
### Does this PR introduce _any_ user-facing change?
Backward compatible.
### How was this patch tested?
Manually using OpenLDAP server
Unit Tests that use Apache Directory Services LDAP server
Issue Time Tracking
-------------------
Worklog Id: (was: 860374)
Remaining Estimate: 0h
Time Spent: 10m
> Improve LDAP auth to support generic search bind authentication
> ---------------------------------------------------------------
>
> Key: HIVE-27311
> URL: https://issues.apache.org/jira/browse/HIVE-27311
> Project: Hive
> Issue Type: Improvement
> Components: HiveServer2
> Affects Versions: 4.0.0-alpha-2
> Reporter: Naveen Gangam
> Assignee: Naveen Gangam
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Hive's LDAP auth configuration is home-baked and a bit specific to hive. This was by design intending to be as flexible as it can be for accommodating various LDAP implementations. But this does not necessarily make it easy to configure hive with such custom values for ldap filtering when most other components accept generic ldap filters, for example: search bind filters.
> There has to be a layer of translation to have it configured. Instead we can enhance Hive to support generic search bind filters.
> To support this, I am proposing adding NEW alternate configurations.
> hive.server2.authentication.ldap.userSearchFilter
> hive.server2.authentication.ldap.groupSearchFilter
> hive.server2.authentication.ldap.groupBaseDN
> Search bind filtering will also use EXISTING config param
> hive.server2.authentication.ldap.baseDN
> This is alternate configuration and will be used first if specified. So users can continue to use existing configuration as well. These changes should not interfere with existing configurations.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)