[DISCUSS] KIP-1: LDAP Improvements Proposal for 0.10.0

[larry mccay <lm...@apache.org>]

All -

I've created a Knox Improvement Proposal for LDAP Improvements [1].

We need to discuss the various improvement topics that I've captured in
there and whether there are any others that need to be added.

I would like to scope this work to be able to be delivered as the central
theme for the 0.10.0 release with room for a few other fixes and minor
improvements. We should try to get this release done in 1 1/2 month
timeframe.

Those options that would fundamentally address the most pain points would
obviously be most important but we need to try and addess all of the most
painful ones. :)

In other words, I'd like to identify the JIRAs that would redundantly
address performance if some other ones will take care of. If the use of PAM
with the HadoopGroupMapping provider will eliminate the need to handle so
many returned groups in Shiro then we should just deprecate the use of the
existing shiro group lookup.

I will create a JIRA for any of the topics in the wiki that lack one.
Let's discuss this general theme here on the email list and capture
specifics in the JIRAs themselves. Once we come to some concensus on this
list we can make sure that KIP-1 reflects the decisions made here.

Thoughts?

--larry

[1] https://cwiki.apache.org/confluence/display/KNOX/KIP-1+LDAP+Improvements

Re: [DISCUSS] KIP-1: LDAP Improvements Proposal for 0.10.0

[larry mccay <lm...@apache.org>]

All -

KNOX-537 [1] has bee committed to master.

This is one of the candidates listed in KIP-1 [2] for LDAP improvements in
the 0.10.0 release.
It has built in test for PAM to authenticate against an OS user.
While we can't really automate this very well out of the box, we have made
it so that environment variables may be set for the OS user credentials in
order to run the test.

I created an OS user with guest:guest-password credentials on my machine
for testing the patch and will likely do the same for automated tests where
possible.

That said, the only use case tested was exactly that - the local OS user.
What we need to do is identify the usecases that we need to test for the
desired set of improvements listed in KIP-1.

It would be terrific to test the PAM mechanism for the painpoints
associated with the need for KIP-1.
We may be able to functionally call this done.

In my mind, it seems that we need to determine the following about the PAM
support:

1. can we more easily control the size of the returned group lookup
results? (KNOX-644)
2. if/when it is still needed how is paging done with the PAM support?
(KNOX-644)
3. can we use nested OU support for LDAP/AD based authentication?
(KNOX-536/KNOX-537)
4. can we use computed group attribute for user group discovery - or is the
intent of this covered by something else with PAM? (KNOX-461)

I do believe that we still need KNOX-237 [3] in order to have a consistent
set of behavior and configuration taxonomy across Apache Hadoop and Knox.
There could however be enough consistency in use and functionality between
the PAM support in the Hadoop Groups mechanism and this that we could defer
this until post 0.10.0. This would need some investigation and insights
from folks on this list.

KNOX-741 [4] is also still needed to simplify the configuration management
and reducing redundant config for things like LDAP.

Thoughts?

Usecase definitions for determining the questions above?

thanks!

--larry

[1] https://issues.apache.org/jira/browse/KNOX-537
[2] https://cwiki.apache.org/confluence/display/KNOX/KIP-1+LDAP+Improvements
[3] https://issues.apache.org/jira/browse/KNOX-237
[4] https://issues.apache.org/jira/browse/KNOX-741





On Tue, Aug 9, 2016 at 3:24 PM, larry mccay <lm...@apache.org> wrote:

> All -
>
> I've created a Knox Improvement Proposal for LDAP Improvements [1].
>
> We need to discuss the various improvement topics that I've captured in
> there and whether there are any others that need to be added.
>
> I would like to scope this work to be able to be delivered as the central
> theme for the 0.10.0 release with room for a few other fixes and minor
> improvements. We should try to get this release done in 1 1/2 month
> timeframe.
>
> Those options that would fundamentally address the most pain points would
> obviously be most important but we need to try and addess all of the most
> painful ones. :)
>
> In other words, I'd like to identify the JIRAs that would redundantly
> address performance if some other ones will take care of. If the use of PAM
> with the HadoopGroupMapping provider will eliminate the need to handle so
> many returned groups in Shiro then we should just deprecate the use of the
> existing shiro group lookup.
>
> I will create a JIRA for any of the topics in the wiki that lack one.
> Let's discuss this general theme here on the email list and capture
> specifics in the JIRAs themselves. Once we come to some concensus on this
> list we can make sure that KIP-1 reflects the decisions made here.
>
> Thoughts?
>
> --larry
>
> [1] https://cwiki.apache.org/confluence/display/KNOX/KIP-1+
> LDAP+Improvements
>
>
>