Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
-
Reviewed
-
If the user object returned by LDAP server has the user's group object DN (supported by Active Directory), Hadoop can reduce LDAP group mapping latency by setting hadoop.security.group.mapping.ldap.search.attr.memberof to memberOf.
Description
The typical LDAP group name resolution works well under typical scenarios. However, we have seen cases where a user is mapped to many groups (in an extreme case, a user is mapped to more than 100 groups). The way it's being implemented now makes this case super slow resolving groups from ActiveDirectory.
The current LDAP group resolution implementation sends two queries to a ActiveDirectory server. The first query returns a user object, which contains DN (distinguished name). The second query looks for groups where the user DN is a member. If a user is mapped to many groups, the second query returns all group objects associated with the user, and is thus very slow.
After studying a user object in ActiveDirectory, I found a user object actually contains a "memberOf" field, which is the DN of all group objects where the user belongs to. Assuming that an organization has no recursive group relation (that is, a user A is a member of group G1, and group G1 is a member of group G2), we can use this properties to avoid the second query, which can potentially run very slow.
I propose that we add a configuration to only enable this feature for users who want to reduce group resolution time and who does not have recursive groups, so that existing behavior will not be broken.
Attachments
Attachments
Issue Links
- Dependent
-
-
- Resolved
-
- is related to
-
HDFS-9956 LDAP PERFORMANCE ISSUE AND FAIL OVER
-
- Open
-
- links to