[HADOOP-18074] Partial/Incomplete groups list can be returned in LDAP groups lookup - ASF JIRA

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.4.0, 3.3.4
Component/s: security
Labels:
- Reviewed
- pull-request-available

Target Version/s:

3.3.4

Description

Hello,

The

Set<String> doGetGroups(String user, int goUpHierarchy)

method in

https://github.com/apache/hadoop/blob/b27732c69b114f24358992a5a4d170bc94e2ceaf/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java#L476

Looks like having an issue if in the middle of the loop a NamingException is caught:

The groups variable is not reset in the catch clause and therefore the fallback lookup cannot be executed (when goUpHierarchy==0 at least):

if (groups.isEmpty() || goUpHierarchy > 0) {        
    groups = lookupGroup(result, c, goUpHierarchy);
}

Consequence is that only a partial list of groups is returned, which is not correct.

Following options could be used as solution:

Reset the group to an empty list in the catch clause, to trigger the fallback query.
Add an option flag to enable ignoring groups with Naming Exception (since they are not groups most probably)

Independently, would any issue also occur (and therefore full list cannot be returned) in the first lookup as well as in the fallback query, the method should/could(with option flag) throw an Exception, because in some scenario accuracy is important.