Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 0.23.2
    • Fix Version/s: 2.0.0-alpha
    • Component/s: security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed
    • Target Version/s:

      Description

      Planning on building a group mapping service that will go and talk directly to an Active Directory setup to get group memberships

      1. HADOOP-8121.patch
        23 kB
        Jonathan Natkins
      2. HADOOP-8121.patch
        23 kB
        Jonathan Natkins
      3. HADOOP-8121.patch
        21 kB
        Jonathan Natkins
      4. HADOOP-8121.patch
        22 kB
        Jonathan Natkins
      5. HADOOP-8121.patch
        19 kB
        Jonathan Natkins
      6. HADOOP-8121.patch
        18 kB
        Jonathan Natkins
      7. HADOOP-8121.patch
        18 kB
        Jonathan Natkins
      8. HADOOP-8121.patch
        18 kB
        Jonathan Natkins
      9. HADOOP-8121.patch
        18 kB
        Jonathan Natkins
      10. HADOOP-8121.patch
        18 kB
        Jonathan Natkins
      11. HADOOP-8121.patch
        9 kB
        Jonathan Natkins
      12. HADOOP-8121-common.patch
        22 kB
        Jonathan Natkins
      13. HADOOP-8121-common.patch
        22 kB
        Jonathan Natkins
      14. HADOOP-8121-hdfs.patch
        1 kB
        Jonathan Natkins

        Issue Links

          Activity

          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12516637/HADOOP-8121.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          -1 tests included. The patch doesn't appear to include any new or modified tests.
          Please justify why no new tests are needed for this patch.
          Also please list what manual steps were performed to verify this patch.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          -1 core tests. The patch failed these unit tests:
          org.apache.hadoop.fs.viewfs.TestViewFsTrash

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/649//testReport/
          Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/649//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12516637/HADOOP-8121.patch against trunk revision . +1 @author. The patch does not contain any @author tags. -1 tests included. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 eclipse:eclipse. The patch built with eclipse:eclipse. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed these unit tests: org.apache.hadoop.fs.viewfs.TestViewFsTrash +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/649//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/649//console This message is automatically generated.
          Hide
          Jonathan Natkins added a comment -

          Updated with a new patch that includes some mockito-based tests.

          For fairly obvious reasons, it's difficult to test most of this functionality in an automated fashion. Manually, I did tested valid and invalid configs against an Active Directory server using both SSL- and non-SSL-enabled configurations.

          Show
          Jonathan Natkins added a comment - Updated with a new patch that includes some mockito-based tests. For fairly obvious reasons, it's difficult to test most of this functionality in an automated fashion. Manually, I did tested valid and invalid configs against an Active Directory server using both SSL- and non-SSL-enabled configurations.
          Hide
          Hadoop QA added a comment -

          +1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12516664/HADOOP-8121.2.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 2 new or modified tests.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed unit tests in .

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/650//testReport/
          Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/650//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - +1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12516664/HADOOP-8121.2.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 2 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 eclipse:eclipse. The patch built with eclipse:eclipse. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed unit tests in . +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/650//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/650//console This message is automatically generated.
          Hide
          Jonathan Natkins added a comment -

          Updated this patch with a test that more closely mocks out what an actual LDAP server would do, and renamed the class to be a bit more generic, since this class will likely work for most LDAP installations. However, the defaults will make it easiest to configure for Active Directory.

          Show
          Jonathan Natkins added a comment - Updated this patch with a test that more closely mocks out what an actual LDAP server would do, and renamed the class to be a bit more generic, since this class will likely work for most LDAP installations. However, the defaults will make it easiest to configure for Active Directory.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12516758/HADOOP-8121.3.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 3 new or modified tests.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          +1 javac. The applied patch does not increase the total number of javac compiler warnings.

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          -1 core tests. The patch failed these unit tests:
          org.apache.hadoop.fs.viewfs.TestViewFsTrash

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/654//testReport/
          Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/654//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12516758/HADOOP-8121.3.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 3 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 eclipse:eclipse. The patch built with eclipse:eclipse. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed these unit tests: org.apache.hadoop.fs.viewfs.TestViewFsTrash +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/654//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/654//console This message is automatically generated.
          Hide
          Aaron T. Myers added a comment -

          Patch looks pretty good, Natty. I agree the test is substantially improved from the last patch. A few comments:

          1. I like the class rename to be more generic, but the class method comment should be changed to suit.
          2. Please use 4-space indentation on lines that run over 80 characters. (The configuration key lines that run over 80 chars are fine.)
          3. I think it'd be good to have a config prefix variable for "hadoop.ssecurity.group.mapping.ldap" that you can append all of the config keys to.
          4. The config keys and their default values should also be put in core-default.xml as well as in the code, for documentation purposes.
          5. It seems odd to me that we'll create a new DirContext for every call to getGroups(). Can that connection to the LDAP server not be cached for the lifetime of the GMSP? Is there a performance issue with creating a new DirContext each time, e.g. extra round trips to the LDAP server? (I don't know that there is a perf issue, but there might be.)
          6. There's a mention of "HDFS" in the comments of LdapGroupsMapping, but the class will be used by both HDFS and MR.
          7. Are there not constants in the Java libraries that could be used in lieu of the hard-coded strings "javax.net.ssl.keyStorePassword", "javax.net.ssl.keyStore", etc? (There very well may not be, I'm not sure.)
          8. Using the mockContext from a non-static inner class seems a little goofy to me. Instead, try just making an instance of LdapGroupsMapping and then using Mockito.spy(...) to interpose on the calls to createDirContext.
          9. Add an "ldapUrl == null ||" to the check in setConf for an unconfigured ldapUrl.
          10. You might consider a static import of Mockito.*, so you can get rid of all the "Mockito." throughout the test.
          11. Some goofy indentation in the first call to "Mockito.when".
          12. The test class could use a few more comments, e.g. it took me a minute to realize you were setting up the mock to return first the user name, then the group name on consecutive calls to DirContext#search.
          Show
          Aaron T. Myers added a comment - Patch looks pretty good, Natty. I agree the test is substantially improved from the last patch. A few comments: I like the class rename to be more generic, but the class method comment should be changed to suit. Please use 4-space indentation on lines that run over 80 characters. (The configuration key lines that run over 80 chars are fine.) I think it'd be good to have a config prefix variable for "hadoop.ssecurity.group.mapping.ldap" that you can append all of the config keys to. The config keys and their default values should also be put in core-default.xml as well as in the code, for documentation purposes. It seems odd to me that we'll create a new DirContext for every call to getGroups(). Can that connection to the LDAP server not be cached for the lifetime of the GMSP? Is there a performance issue with creating a new DirContext each time, e.g. extra round trips to the LDAP server? (I don't know that there is a perf issue, but there might be.) There's a mention of "HDFS" in the comments of LdapGroupsMapping, but the class will be used by both HDFS and MR. Are there not constants in the Java libraries that could be used in lieu of the hard-coded strings "javax.net.ssl.keyStorePassword", "javax.net.ssl.keyStore", etc? (There very well may not be, I'm not sure.) Using the mockContext from a non-static inner class seems a little goofy to me. Instead, try just making an instance of LdapGroupsMapping and then using Mockito.spy(...) to interpose on the calls to createDirContext. Add an "ldapUrl == null ||" to the check in setConf for an unconfigured ldapUrl. You might consider a static import of Mockito.*, so you can get rid of all the "Mockito." throughout the test. Some goofy indentation in the first call to "Mockito.when". The test class could use a few more comments, e.g. it took me a minute to realize you were setting up the mock to return first the user name, then the group name on consecutive calls to DirContext#search.
          Hide
          Jonathan Natkins added a comment -

          5. I'm kinda of the mind that it should be one DirContext per connection. It's possible that we could cache the connection, but it seems like that wouldn't be ideal. These systems are made for handling a lot of short-lived connections, and I feel like this is no different. I'll do a little additional research on this, but I think not caching the connection is the right thing to do.
          7. I googled a bit, and as far as I can tell, those contants don't exist anywhere. I just see a lot of other code bases that pull them out into constants, as well.

          Everything else has been updated accordingly. Let me know how the new diff looks. Thanks!

          Show
          Jonathan Natkins added a comment - 5. I'm kinda of the mind that it should be one DirContext per connection. It's possible that we could cache the connection, but it seems like that wouldn't be ideal. These systems are made for handling a lot of short-lived connections, and I feel like this is no different. I'll do a little additional research on this, but I think not caching the connection is the right thing to do. 7. I googled a bit, and as far as I can tell, those contants don't exist anywhere. I just see a lot of other code bases that pull them out into constants, as well. Everything else has been updated accordingly. Let me know how the new diff looks. Thanks!
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12516914/HADOOP-8121.4.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 3 new or modified tests.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          -1 javac. The applied patch generated 1039 javac compiler warnings (more than the trunk's current 1038 warnings).

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          -1 core tests. The patch failed these unit tests:
          org.apache.hadoop.fs.viewfs.TestViewFsTrash

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/667//testReport/
          Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/667//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12516914/HADOOP-8121.4.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 3 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. -1 javac. The applied patch generated 1039 javac compiler warnings (more than the trunk's current 1038 warnings). +1 eclipse:eclipse. The patch built with eclipse:eclipse. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed these unit tests: org.apache.hadoop.fs.viewfs.TestViewFsTrash +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/667//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/667//console This message is automatically generated.
          Hide
          Jonathan Natkins added a comment -

          After reading through the LDAP library code, I decided caching the connection probably isn't a big deal, and I've restructured this patch slightly to do so.

          Show
          Jonathan Natkins added a comment - After reading through the LDAP library code, I decided caching the connection probably isn't a big deal, and I've restructured this patch slightly to do so.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12516960/HADOOP-8121.5.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 3 new or modified tests.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          -1 javac. The applied patch generated 1039 javac compiler warnings (more than the trunk's current 1038 warnings).

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          -1 core tests. The patch failed these unit tests:
          org.apache.hadoop.fs.viewfs.TestViewFsTrash

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/668//testReport/
          Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/668//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12516960/HADOOP-8121.5.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 3 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. -1 javac. The applied patch generated 1039 javac compiler warnings (more than the trunk's current 1038 warnings). +1 eclipse:eclipse. The patch built with eclipse:eclipse. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed these unit tests: org.apache.hadoop.fs.viewfs.TestViewFsTrash +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/668//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/668//console This message is automatically generated.
          Hide
          Jonathan Natkins added a comment -

          Blah. Unused import removed.

          Show
          Jonathan Natkins added a comment - Blah. Unused import removed.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12516968/HADOOP-8121.6.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 3 new or modified tests.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          -1 javac. The applied patch generated 1039 javac compiler warnings (more than the trunk's current 1038 warnings).

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          -1 core tests. The patch failed these unit tests:
          org.apache.hadoop.fs.viewfs.TestViewFsTrash

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/669//testReport/
          Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/669//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12516968/HADOOP-8121.6.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 3 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. -1 javac. The applied patch generated 1039 javac compiler warnings (more than the trunk's current 1038 warnings). +1 eclipse:eclipse. The patch built with eclipse:eclipse. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed these unit tests: org.apache.hadoop.fs.viewfs.TestViewFsTrash +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/669//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/669//console This message is automatically generated.
          Hide
          Aaron T. Myers added a comment -

          Blah. Unused import removed.

          I don't think that was the problem. I think it's this:

          [WARNING] hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java:[183,27] com.sun.jndi.ldap.LdapCtxFactory is Sun proprietary API and may be removed in a future release

          This warning is probably unavoidable, but can you check to see if there's a preferred way of doing this which wouldn't generate this warning.

          Show
          Aaron T. Myers added a comment - Blah. Unused import removed. I don't think that was the problem. I think it's this: [WARNING] hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java: [183,27] com.sun.jndi.ldap.LdapCtxFactory is Sun proprietary API and may be removed in a future release This warning is probably unavoidable, but can you check to see if there's a preferred way of doing this which wouldn't generate this warning.
          Hide
          Jonathan Natkins added a comment -

          I agree that the warning is mostly unavoidable, and I don't think there's any particularly good way of dealing with it. It looks like Oracle is working on updating some of the APIs (http://docs.oracle.com/javase/6/docs/technotes/guides/jndi/index.html contains some of the updates), but there doesn't seem to be any new way to get the InitialContextFactory. The interwebs generally lead you to something like this:

          env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");

          In fact, this line of code shows up in Oracle's docs (section 15.1 http://docs.oracle.com/javase/6/docs/technotes/guides/jndi/jndi-ldap.html#pooling)

          I think it makes more sense to do the right thing and call the getName() method than use a hard-coded string, so if this is alright, I'll just add warning suppression.

          Show
          Jonathan Natkins added a comment - I agree that the warning is mostly unavoidable, and I don't think there's any particularly good way of dealing with it. It looks like Oracle is working on updating some of the APIs ( http://docs.oracle.com/javase/6/docs/technotes/guides/jndi/index.html contains some of the updates), but there doesn't seem to be any new way to get the InitialContextFactory. The interwebs generally lead you to something like this: env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); In fact, this line of code shows up in Oracle's docs (section 15.1 http://docs.oracle.com/javase/6/docs/technotes/guides/jndi/jndi-ldap.html#pooling ) I think it makes more sense to do the right thing and call the getName() method than use a hard-coded string, so if this is alright, I'll just add warning suppression.
          Hide
          Aaron T. Myers added a comment -

          Thanks for checking on that, Natty. A few more comments/questions:

          1. Seems like we could cache the SearchControls object as well. Looks to me like it could even just be statically initialized.
          2. I think createDirContext should be renamed getDirContext, as it's not necessarily creating a new DirContext each time it's called.
          3. There's what looks to be a potential race in initializing the DirContext, since you check for null and then initialize without holding any lock, though it may not matter at all.
          4. Since the DirContext is now long-lived, what happens if a connection to the LDAP server breaks? Will this class automatically re-connect? (Is that even the right term?)
          Show
          Aaron T. Myers added a comment - Thanks for checking on that, Natty. A few more comments/questions: Seems like we could cache the SearchControls object as well. Looks to me like it could even just be statically initialized. I think createDirContext should be renamed getDirContext, as it's not necessarily creating a new DirContext each time it's called. There's what looks to be a potential race in initializing the DirContext, since you check for null and then initialize without holding any lock, though it may not matter at all. Since the DirContext is now long-lived, what happens if a connection to the LDAP server breaks? Will this class automatically re-connect? (Is that even the right term?)
          Hide
          Jonathan Natkins added a comment -

          1. Yeah, I agree with that
          2. Done
          3. I added some synchronize blocks, just to be safe

          4. Turns out it wasn't long lived, because I had a little bug in my code, but it's cached properly now. Here's a link to some relevant code: http://javasourcecode.org/html/open-source/jdk/jdk-6u23/com/sun/jndi/ldap/LdapCtx.java.html

          Digging in a little bit, you'll see that the ctx.search call leads to a call of LdapCtx.doSearch(). Conveniently, the first line of that method calls LdapCtx.ensureOpen(), which reconnects to the LDAP server, if necessary.

          Show
          Jonathan Natkins added a comment - 1. Yeah, I agree with that 2. Done 3. I added some synchronize blocks, just to be safe 4. Turns out it wasn't long lived, because I had a little bug in my code, but it's cached properly now. Here's a link to some relevant code: http://javasourcecode.org/html/open-source/jdk/jdk-6u23/com/sun/jndi/ldap/LdapCtx.java.html Digging in a little bit, you'll see that the ctx.search call leads to a call of LdapCtx.doSearch(). Conveniently, the first line of that method calls LdapCtx.ensureOpen(), which reconnects to the LDAP server, if necessary.
          Hide
          Jonathan Natkins added a comment -

          Patch updated

          Show
          Jonathan Natkins added a comment - Patch updated
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12517130/HADOOP-8121.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 3 new or modified tests.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          -1 javac. The applied patch generated 1039 javac compiler warnings (more than the trunk's current 1038 warnings).

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          -1 findbugs. The patch appears to introduce 2 new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          -1 core tests. The patch failed the unit tests build

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/673//testReport/
          Findbugs warnings: https://builds.apache.org/job/PreCommit-HADOOP-Build/673//artifact/trunk/hadoop-common-project/patchprocess/newPatchFindbugsWarningshadoop-common.html
          Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/673//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12517130/HADOOP-8121.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 3 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. -1 javac. The applied patch generated 1039 javac compiler warnings (more than the trunk's current 1038 warnings). +1 eclipse:eclipse. The patch built with eclipse:eclipse. -1 findbugs. The patch appears to introduce 2 new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed the unit tests build +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/673//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HADOOP-Build/673//artifact/trunk/hadoop-common-project/patchprocess/newPatchFindbugsWarningshadoop-common.html Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/673//console This message is automatically generated.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12517136/HADOOP-8121.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 3 new or modified tests.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          -1 javac. The applied patch generated 1039 javac compiler warnings (more than the trunk's current 1038 warnings).

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          -1 findbugs. The patch appears to introduce 2 new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          -1 core tests. The patch failed these unit tests:
          org.apache.hadoop.fs.viewfs.TestViewFsTrash

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/674//testReport/
          Findbugs warnings: https://builds.apache.org/job/PreCommit-HADOOP-Build/674//artifact/trunk/hadoop-common-project/patchprocess/newPatchFindbugsWarningshadoop-common.html
          Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/674//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12517136/HADOOP-8121.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 3 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. -1 javac. The applied patch generated 1039 javac compiler warnings (more than the trunk's current 1038 warnings). +1 eclipse:eclipse. The patch built with eclipse:eclipse. -1 findbugs. The patch appears to introduce 2 new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed these unit tests: org.apache.hadoop.fs.viewfs.TestViewFsTrash +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/674//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HADOOP-Build/674//artifact/trunk/hadoop-common-project/patchprocess/newPatchFindbugsWarningshadoop-common.html Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/674//console This message is automatically generated.
          Hide
          Jonathan Natkins added a comment -

          I've made the bulk of getGroups synchronized, to be thread-safe around a) the call to getDirContext(), as well as deal with the lack of thread-safety provided by the LdapCtx object (which underlies the DirContext).

          I've also added a warning suppression for the deprecated class (for some reason the deprecation warning doesn't show up in Eclipse for me. Hopefully this won't cause another compiler warning)

          The SearchControls object is now declared statically.

          Show
          Jonathan Natkins added a comment - I've made the bulk of getGroups synchronized, to be thread-safe around a) the call to getDirContext(), as well as deal with the lack of thread-safety provided by the LdapCtx object (which underlies the DirContext). I've also added a warning suppression for the deprecated class (for some reason the deprecation warning doesn't show up in Eclipse for me. Hopefully this won't cause another compiler warning) The SearchControls object is now declared statically.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12517147/HADOOP-8121.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 3 new or modified tests.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          -1 javac. The applied patch generated 1039 javac compiler warnings (more than the trunk's current 1038 warnings).

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          -1 core tests. The patch failed these unit tests:
          org.apache.hadoop.ipc.TestRPCCallBenchmark
          org.apache.hadoop.fs.viewfs.TestViewFsTrash

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/676//testReport/
          Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/676//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12517147/HADOOP-8121.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 3 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. -1 javac. The applied patch generated 1039 javac compiler warnings (more than the trunk's current 1038 warnings). +1 eclipse:eclipse. The patch built with eclipse:eclipse. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed these unit tests: org.apache.hadoop.ipc.TestRPCCallBenchmark org.apache.hadoop.fs.viewfs.TestViewFsTrash +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/676//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/676//console This message is automatically generated.
          Hide
          Steve Loughran added a comment -

          Does this work when tested against the Java-based ApacheDS server? http://directory.apache.org/apacheds/1.5/ if it does, that would make functional testing a lot easier

          Show
          Steve Loughran added a comment - Does this work when tested against the Java-based ApacheDS server? http://directory.apache.org/apacheds/1.5/ if it does, that would make functional testing a lot easier
          Hide
          Jonathan Natkins added a comment -

          Agreed, it would be worthwhile to test against ApacheDS. In light of the fact that I'm relatively unfamiliar with ApacheDS, I've filed HADOOP-8145 to track this. For the time being, the library code has been mocked to test the functionality of all the non-library code, if that's alright.

          Show
          Jonathan Natkins added a comment - Agreed, it would be worthwhile to test against ApacheDS. In light of the fact that I'm relatively unfamiliar with ApacheDS, I've filed HADOOP-8145 to track this. For the time being, the library code has been mocked to test the functionality of all the non-library code, if that's alright.
          Hide
          Aaron T. Myers added a comment -

          Very close now, Natty. Just a few little comments.

          1. In the class comment, rather than "slaves to an LDAP server" how about "connects directly to an LDAP server" ?
          2. Should use 4-space indentation on the class declaration line.
          3. No need to initialize SEARCH_CONTROLS in the static { } block. Just do it inline with the declaration.
          4. Don't pull out the config keys on every call to getGroups. Instead, just do it once in the call to setConf and set some instance variables.
          5. Why have a synchronized block around all the content of getGroups, vs just making the whole method synchronized?
          6. I don't understand the comment "getDirContext needs to be synchronized, since we're potentially setting up a singleton"
          7. What's the point of assigning SEARCH_CONTROLS to a local variable in getGroups?
          8. I don't understand the comment "// If we didn't get the group, just return the groups we know about"
          9. Some odd indentation in getDirContext, and should probably synchronize getDirContext as well.
          10. s/for/of/g in "The URL for the LDAP server to use"
          11. No need for the instance variable mappingService in the test.
          12. I don't understand where the "hdfs" user comes from in testGetGroups. Why isn't that mentioned anywhere in setupMocks?
          Show
          Aaron T. Myers added a comment - Very close now, Natty. Just a few little comments. In the class comment, rather than "slaves to an LDAP server" how about "connects directly to an LDAP server" ? Should use 4-space indentation on the class declaration line. No need to initialize SEARCH_CONTROLS in the static { } block. Just do it inline with the declaration. Don't pull out the config keys on every call to getGroups. Instead, just do it once in the call to setConf and set some instance variables. Why have a synchronized block around all the content of getGroups, vs just making the whole method synchronized? I don't understand the comment "getDirContext needs to be synchronized, since we're potentially setting up a singleton" What's the point of assigning SEARCH_CONTROLS to a local variable in getGroups? I don't understand the comment "// If we didn't get the group, just return the groups we know about" Some odd indentation in getDirContext, and should probably synchronize getDirContext as well. s/for/of/g in "The URL for the LDAP server to use" No need for the instance variable mappingService in the test. I don't understand where the "hdfs" user comes from in testGetGroups. Why isn't that mentioned anywhere in setupMocks?
          Hide
          Jonathan Natkins added a comment -

          I removed some of the confusing comments. I think that the code is a little more self-explanatory now. I also changed the name of the hdfs user I referenced in testGetGroups. The search method was mocked to give a particular return value regardless of the string passed in, so the hdfs user was totally arbitrary in this case.

          Show
          Jonathan Natkins added a comment - I removed some of the confusing comments. I think that the code is a little more self-explanatory now. I also changed the name of the hdfs user I referenced in testGetGroups. The search method was mocked to give a particular return value regardless of the string passed in, so the hdfs user was totally arbitrary in this case.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12517534/HADOOP-8121.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 3 new or modified tests.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          -1 javac. The applied patch generated 1039 javac compiler warnings (more than the trunk's current 1038 warnings).

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          -1 findbugs. The patch appears to introduce 5 new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          -1 core tests. The patch failed these unit tests:
          org.apache.hadoop.fs.viewfs.TestViewFsTrash

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/685//testReport/
          Findbugs warnings: https://builds.apache.org/job/PreCommit-HADOOP-Build/685//artifact/trunk/hadoop-common-project/patchprocess/newPatchFindbugsWarningshadoop-common.html
          Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/685//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12517534/HADOOP-8121.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 3 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. -1 javac. The applied patch generated 1039 javac compiler warnings (more than the trunk's current 1038 warnings). +1 eclipse:eclipse. The patch built with eclipse:eclipse. -1 findbugs. The patch appears to introduce 5 new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed these unit tests: org.apache.hadoop.fs.viewfs.TestViewFsTrash +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/685//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HADOOP-Build/685//artifact/trunk/hadoop-common-project/patchprocess/newPatchFindbugsWarningshadoop-common.html Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/685//console This message is automatically generated.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12517596/HADOOP-8121.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 3 new or modified tests.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          -1 javac. The applied patch generated 1039 javac compiler warnings (more than the trunk's current 1038 warnings).

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          -1 findbugs. The patch appears to introduce 5 new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed unit tests in .

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/687//testReport/
          Findbugs warnings: https://builds.apache.org/job/PreCommit-HADOOP-Build/687//artifact/trunk/hadoop-common-project/patchprocess/newPatchFindbugsWarningshadoop-common.html
          Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/687//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12517596/HADOOP-8121.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 3 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. -1 javac. The applied patch generated 1039 javac compiler warnings (more than the trunk's current 1038 warnings). +1 eclipse:eclipse. The patch built with eclipse:eclipse. -1 findbugs. The patch appears to introduce 5 new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed unit tests in . +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/687//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HADOOP-Build/687//artifact/trunk/hadoop-common-project/patchprocess/newPatchFindbugsWarningshadoop-common.html Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/687//console This message is automatically generated.
          Hide
          Aaron T. Myers added a comment -

          I see what you're saying re: the arbitrary user name, but in the latest patch it still looks to me like you're using "hdfs" in the test case. Obviously this will work, but I think you should either change the name so it's obvious that it's arbitrary, or add a comment explaining this.

          I'd also recommend you move the comment "The underlying LdapCtx is also not thread-safe..." to the be in the method comment.

          +1 once these two issues are addressed.

          Show
          Aaron T. Myers added a comment - I see what you're saying re: the arbitrary user name, but in the latest patch it still looks to me like you're using "hdfs" in the test case. Obviously this will work, but I think you should either change the name so it's obvious that it's arbitrary, or add a comment explaining this. I'd also recommend you move the comment "The underlying LdapCtx is also not thread-safe..." to the be in the method comment. +1 once these two issues are addressed.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12517603/HADOOP-8121.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 3 new or modified tests.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          -1 javac. The applied patch generated 1039 javac compiler warnings (more than the trunk's current 1038 warnings).

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          -1 findbugs. The patch appears to introduce 5 new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed unit tests in .

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/688//testReport/
          Findbugs warnings: https://builds.apache.org/job/PreCommit-HADOOP-Build/688//artifact/trunk/hadoop-common-project/patchprocess/newPatchFindbugsWarningshadoop-common.html
          Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/688//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12517603/HADOOP-8121.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 3 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. -1 javac. The applied patch generated 1039 javac compiler warnings (more than the trunk's current 1038 warnings). +1 eclipse:eclipse. The patch built with eclipse:eclipse. -1 findbugs. The patch appears to introduce 5 new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed unit tests in . +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/688//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HADOOP-Build/688//artifact/trunk/hadoop-common-project/patchprocess/newPatchFindbugsWarningshadoop-common.html Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/688//console This message is automatically generated.
          Hide
          Allen Wittenauer added a comment -

          1) hadoop.security.group.mapping.ldap.bind.password should not be in the hadoop conf file. This should be a pointer to a file that contains the password or stored in the keystore.

          2) I think the description for hadoop.security.group.mapping.ldap.search.filter.user is a bit confusing. Instead of "generic LDAP servers" just come out and say "non-AD schemas". Additionally, I'd replace "will likely" to "should be".

          3) I think the documentation needs to be clear what conditions this provider is required. This is especially important given that this a) will likely be unnecessary on the vast majority of properly configured systems b) bypasses the caching that happens at the OS level, so could be a potential performance hit.

          Show
          Allen Wittenauer added a comment - 1) hadoop.security.group.mapping.ldap.bind.password should not be in the hadoop conf file. This should be a pointer to a file that contains the password or stored in the keystore. 2) I think the description for hadoop.security.group.mapping.ldap.search.filter.user is a bit confusing. Instead of "generic LDAP servers" just come out and say "non-AD schemas". Additionally, I'd replace "will likely" to "should be". 3) I think the documentation needs to be clear what conditions this provider is required. This is especially important given that this a) will likely be unnecessary on the vast majority of properly configured systems b) bypasses the caching that happens at the OS level, so could be a potential performance hit.
          Hide
          Jonathan Natkins added a comment -

          I've updated the patch to address Allen's comments.

          I've modified the bind.password and keystore.password parameters in the core-defaults.xml file to point to files containing the respective passwords, and somewhat shamelessly stolen the approach taken by HADOOP-7621 to deal with the security concern.

          I've updated some of the parameter descriptions in the xml, and I've updated the javadocs for the LdapGroupsMapping class to be more explicit about the purpose and consequences of using LDAP for user-group mapping.

          Show
          Jonathan Natkins added a comment - I've updated the patch to address Allen's comments. I've modified the bind.password and keystore.password parameters in the core-defaults.xml file to point to files containing the respective passwords, and somewhat shamelessly stolen the approach taken by HADOOP-7621 to deal with the security concern. I've updated some of the parameter descriptions in the xml, and I've updated the javadocs for the LdapGroupsMapping class to be more explicit about the purpose and consequences of using LDAP for user-group mapping.
          Hide
          Allen Wittenauer added a comment -

          Does this code properly handle LDAP search limits? What happens if it hits one? (Many LDAP servers put a limit on the number of results that may be returned in a single query. This is extremely common and many larger LDAP deployments will have this in place as a low grade protection against DoS attacks.)

          Show
          Allen Wittenauer added a comment - Does this code properly handle LDAP search limits? What happens if it hits one? (Many LDAP servers put a limit on the number of results that may be returned in a single query. This is extremely common and many larger LDAP deployments will have this in place as a low grade protection against DoS attacks.)
          Hide
          Jonathan Natkins added a comment -

          There are two types of searches that get executed: 1) a group search, in which we're specifying the distinguished name that we're searching for, so we should only ever get back one result, or 2) a user search, in which case the filter should be something along the lines of (sAMAccountName=

          {0}) or (uid={0}

          ), which should only return one result, if configured correctly.

          I'll acknowledge that this doesn't prevent an admin from misconfiguring the user search filter to execute a query that brings back a large result set, e.g. (objectclass=user), but if it does throw an exception, it will caught and logged appropriately.

          Show
          Jonathan Natkins added a comment - There are two types of searches that get executed: 1) a group search, in which we're specifying the distinguished name that we're searching for, so we should only ever get back one result, or 2) a user search, in which case the filter should be something along the lines of (sAMAccountName= {0}) or (uid={0} ), which should only return one result, if configured correctly. I'll acknowledge that this doesn't prevent an admin from misconfiguring the user search filter to execute a query that brings back a large result set, e.g. (objectclass=user), but if it does throw an exception, it will caught and logged appropriately.
          Hide
          Allen Wittenauer added a comment -

          Doesn't this sort of make it unsuitable for anything but the specific use cases you have in mind? i.e., how would a non-AD user actually use this?

          Show
          Allen Wittenauer added a comment - Doesn't this sort of make it unsuitable for anything but the specific use cases you have in mind? i.e., how would a non-AD user actually use this?
          Hide
          Jonathan Natkins added a comment -

          Yeah, I see what you mean. Would it be acceptable if I renamed this class back to its original ActiveDirectoryGroupsMapping, and went with that for now? It almost makes sense to have two separate classes for ActiveDirectory versus LDAP proper, since the AD schema is very set in stone, where as LDAP is much more flexible, depending on the group class you're using, and how an organization has their schema setup.

          Show
          Jonathan Natkins added a comment - Yeah, I see what you mean. Would it be acceptable if I renamed this class back to its original ActiveDirectoryGroupsMapping, and went with that for now? It almost makes sense to have two separate classes for ActiveDirectory versus LDAP proper, since the AD schema is very set in stone, where as LDAP is much more flexible, depending on the group class you're using, and how an organization has their schema setup.
          Hide
          Jonathan Natkins added a comment -

          I take my previous suggestion back. I've rejiggered the code a bit to be group-centric, so that for both Active Directory and non-AD LDAP, we'll search by the member attribute of the group (instead of the memberOf attribute of the user), which should bring back all the groups that a user is a member of. This will easily support groupOfNames and groupOfUniqueNames group classes in non-AD.

          Show
          Jonathan Natkins added a comment - I take my previous suggestion back. I've rejiggered the code a bit to be group-centric, so that for both Active Directory and non-AD LDAP, we'll search by the member attribute of the group (instead of the memberOf attribute of the user), which should bring back all the groups that a user is a member of. This will easily support groupOfNames and groupOfUniqueNames group classes in non-AD.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12517807/HADOOP-8121.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 4 new or modified tests.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          -1 javac. The applied patch generated 1039 javac compiler warnings (more than the trunk's current 1038 warnings).

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          -1 findbugs. The patch appears to introduce 5 new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed unit tests in .

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/697//testReport/
          Findbugs warnings: https://builds.apache.org/job/PreCommit-HADOOP-Build/697//artifact/trunk/hadoop-common-project/patchprocess/newPatchFindbugsWarningshadoop-common.html
          Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/697//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12517807/HADOOP-8121.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 4 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. -1 javac. The applied patch generated 1039 javac compiler warnings (more than the trunk's current 1038 warnings). +1 eclipse:eclipse. The patch built with eclipse:eclipse. -1 findbugs. The patch appears to introduce 5 new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed unit tests in . +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/697//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HADOOP-Build/697//artifact/trunk/hadoop-common-project/patchprocess/newPatchFindbugsWarningshadoop-common.html Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/697//console This message is automatically generated.
          Hide
          Aaron T. Myers added a comment -

          Allen, has Jon addressed your concerns?

          Show
          Aaron T. Myers added a comment - Allen, has Jon addressed your concerns?
          Hide
          Allen Wittenauer added a comment -

          Docs:

          Is the only documentation going to be the javadoc code? How are admins supposed to find this?

          + * ShellBasedUnixGroupsMapping should be sufficient. However, in cases where
          

          "is preferred" rather than "should be sufficient".

          + * access control, this class maybe used to communicate directly with the LDAP
          

          may be

          Functional:

          a) I'm still concerned about what happens when this code hits a search limit. I suspect that the places most likely to deploy this plug-in will have this issue...

          b) Am I correct that we don't support cascading groupOfNames? If not, that should also be documented.

          Show
          Allen Wittenauer added a comment - Docs: Is the only documentation going to be the javadoc code? How are admins supposed to find this? — + * ShellBasedUnixGroupsMapping should be sufficient. However, in cases where "is preferred" rather than "should be sufficient". + * access control, this class maybe used to communicate directly with the LDAP may be — Functional: a) I'm still concerned about what happens when this code hits a search limit. I suspect that the places most likely to deploy this plug-in will have this issue... b) Am I correct that we don't support cascading groupOfNames? If not, that should also be documented.
          Hide
          Jonathan Natkins added a comment -

          a) I'm a little unclear under what circumstances you expect this to hit a search limit. Would you expect that users would belong to more groups than the search limit can support in a single search? That seems surprising to me. Like I said earlier, if the plug-in is misconfigured, and you have a search filter that is not sensible, say (objectClass=*), yes, you would probably hit a search limit. In that case, an exception would be through in getGroups, and logged, alerting an admin to the fact that there's a problem.

          b) You're right, I'll document this somewhere.

          Regarding documentation, where is the most appropriate place for it to go?

          Show
          Jonathan Natkins added a comment - a) I'm a little unclear under what circumstances you expect this to hit a search limit. Would you expect that users would belong to more groups than the search limit can support in a single search? That seems surprising to me. Like I said earlier, if the plug-in is misconfigured, and you have a search filter that is not sensible, say (objectClass=*), yes, you would probably hit a search limit. In that case, an exception would be through in getGroups, and logged, alerting an admin to the fact that there's a problem. b) You're right, I'll document this somewhere. Regarding documentation, where is the most appropriate place for it to go?
          Hide
          Allen Wittenauer added a comment -

          It isn't unrealistic for super large enterprises to have tens of thousands of group definitions (one previous employer had just shy of 10k!). Is it possible for someone to be in so many groups as to hit the search limit? Well, it depends upon how the LDAP server is configured. If we don't want to fix this, then it should at least be mentioned in the docs that search limits are not supported and/or will result in unpredictable behavior.

          Show
          Allen Wittenauer added a comment - It isn't unrealistic for super large enterprises to have tens of thousands of group definitions (one previous employer had just shy of 10k!). Is it possible for someone to be in so many groups as to hit the search limit? Well, it depends upon how the LDAP server is configured. If we don't want to fix this, then it should at least be mentioned in the docs that search limits are not supported and/or will result in unpredictable behavior.
          Hide
          Jonathan Natkins added a comment -

          I've added some documentation to hdfs_permissions_guide.xml to note that the implementation exists, and point to the javadocs for more information.

          I've also added some additional information on the topics we've discussed to the javadocs, and filed HADOOP-8170 to track the search limit improvement.

          Additionally, I've updated the patch to hopefully deal with the findbugs warnings that popped up last time.

          Show
          Jonathan Natkins added a comment - I've added some documentation to hdfs_permissions_guide.xml to note that the implementation exists, and point to the javadocs for more information. I've also added some additional information on the topics we've discussed to the javadocs, and filed HADOOP-8170 to track the search limit improvement. Additionally, I've updated the patch to hopefully deal with the findbugs warnings that popped up last time.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12518340/HADOOP-8121.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 4 new or modified tests.

          -1 patch. The patch command could not apply the patch.

          Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/711//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12518340/HADOOP-8121.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 4 new or modified tests. -1 patch. The patch command could not apply the patch. Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/711//console This message is automatically generated.
          Hide
          Jonathan Natkins added a comment -

          Not sure what happened with that last patch run. I tested the patch, and it seemed to apply just fine locally. Attaching a new one to try to kick it again.

          Show
          Jonathan Natkins added a comment - Not sure what happened with that last patch run. I tested the patch, and it seemed to apply just fine locally. Attaching a new one to try to kick it again.
          Hide
          Aaron T. Myers added a comment -

          Patch application failed because test-patch doesn't support cross-sub-project patches, and this patch changes code in Common and docs in HDFS.

          How about you just upload a patch for the docs in HDFS, and a separate patch for the Common code changes? That should make test-patch happy.

          Show
          Aaron T. Myers added a comment - Patch application failed because test-patch doesn't support cross-sub-project patches, and this patch changes code in Common and docs in HDFS. How about you just upload a patch for the docs in HDFS, and a separate patch for the Common code changes? That should make test-patch happy.
          Hide
          Jonathan Natkins added a comment -

          Allen,

          Provided the test-patch job comes back happy, have I addressed all of your concerns?

          Show
          Jonathan Natkins added a comment - Allen, Provided the test-patch job comes back happy, have I addressed all of your concerns?
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12518697/HADOOP-8121-common.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 4 new or modified tests.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          -1 javac. The applied patch generated 1014 javac compiler warnings (more than the trunk's current 1013 warnings).

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          +1 core tests. The patch passed unit tests in .

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/721//testReport/
          Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/721//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12518697/HADOOP-8121-common.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 4 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. -1 javac. The applied patch generated 1014 javac compiler warnings (more than the trunk's current 1013 warnings). +1 eclipse:eclipse. The patch built with eclipse:eclipse. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed unit tests in . +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/721//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/721//console This message is automatically generated.
          Hide
          Aaron T. Myers added a comment -

          +1, the latest patch looks good to me.

          Allen, has Jon addressed all of your concerns? If so, I'll go ahead and commit this patch. Please let me know.

          Show
          Aaron T. Myers added a comment - +1, the latest patch looks good to me. Allen, has Jon addressed all of your concerns? If so, I'll go ahead and commit this patch. Please let me know.
          Hide
          Aaron T. Myers added a comment -

          Also, Jon, can you comment on the javac warning? I believe it's unavoidable, but please confirm.

          Show
          Aaron T. Myers added a comment - Also, Jon, can you comment on the javac warning? I believe it's unavoidable, but please confirm.
          Hide
          Jonathan Natkins added a comment -

          The javac warning is related is caused by this line:

          env.put(Context.INITIAL_CONTEXT_FACTORY, com.sun.jndi.ldap.LdapCtxFactory.class.getName());

          The problem is that the LdapCtxFactory is a deprecated API, but according to all documentation (including Oracle's) and examples that I've looked at, it's the correct way to initialize the context. We could avoid the warning by hard-coding the string, but I strongly prefer calling getName() to get the actual class name.

          Show
          Jonathan Natkins added a comment - The javac warning is related is caused by this line: env.put(Context.INITIAL_CONTEXT_FACTORY, com.sun.jndi.ldap.LdapCtxFactory.class.getName()); The problem is that the LdapCtxFactory is a deprecated API, but according to all documentation (including Oracle's) and examples that I've looked at, it's the correct way to initialize the context. We could avoid the warning by hard-coding the string, but I strongly prefer calling getName() to get the actual class name.
          Hide
          Allen Wittenauer added a comment -

          Doing a quick pass over the patch:

          +  <value>(&amp;(objectClass=user)(sAMAccountName={0})</value>
          

          Shouldn't this be & and not &? Or is XML doing bad things to this?

          Show
          Allen Wittenauer added a comment - Doing a quick pass over the patch: + <value>(&amp;(objectClass=user)(sAMAccountName={0})</value> Shouldn't this be & and not &? Or is XML doing bad things to this?
          Hide
          Allen Wittenauer added a comment -

          (meh, stupid jira)

          Show
          Allen Wittenauer added a comment - (meh, stupid jira)
          Hide
          Jonathan Natkins added a comment -

          I think it's correct as it is. Ampersands don't play nicely with XML: http://www.microshell.com/programming/php/xml-and-ampersand/

          I did a small test of this by writing a file out with this text:

          <property>
          <value>&</value>
          </property>

          It doesn't parse in Chrome, but it displays correctly if I use &

          Show
          Jonathan Natkins added a comment - I think it's correct as it is. Ampersands don't play nicely with XML: http://www.microshell.com/programming/php/xml-and-ampersand/ I did a small test of this by writing a file out with this text: <property> <value>&</value> </property> It doesn't parse in Chrome, but it displays correctly if I use &
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12518697/HADOOP-8121-common.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 4 new or modified tests.

          +1 javadoc. The javadoc tool did not generate any warning messages.

          -1 javac. The applied patch generated 1014 javac compiler warnings (more than the trunk's current 1013 warnings).

          +1 eclipse:eclipse. The patch built with eclipse:eclipse.

          +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

          +1 release audit. The applied patch does not increase the total number of release audit warnings.

          -1 core tests. The patch failed these unit tests:
          org.apache.hadoop.ipc.TestRPCCallBenchmark

          +1 contrib tests. The patch passed contrib unit tests.

          Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/726//testReport/
          Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/726//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12518697/HADOOP-8121-common.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 4 new or modified tests. +1 javadoc. The javadoc tool did not generate any warning messages. -1 javac. The applied patch generated 1014 javac compiler warnings (more than the trunk's current 1013 warnings). +1 eclipse:eclipse. The patch built with eclipse:eclipse. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed these unit tests: org.apache.hadoop.ipc.TestRPCCallBenchmark +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/726//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/726//console This message is automatically generated.
          Hide
          Aaron T. Myers added a comment -

          +1, the latest patch looks good to me. I'm confident that the test failure of TestRPCCallBenchmark is unrelated.

          I'm going to commit this in the next few hours unless there are any more comments in the mean time.

          Show
          Aaron T. Myers added a comment - +1, the latest patch looks good to me. I'm confident that the test failure of TestRPCCallBenchmark is unrelated. I'm going to commit this in the next few hours unless there are any more comments in the mean time.
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Hdfs-trunk-Commit #1979 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk-Commit/1979/)
          HADOOP-8121. Active Directory Group Mapping Service. Contributed by Jonathan Natkins. (Revision 1302740)

          Result = SUCCESS
          atm : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1302740
          Files :

          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestLdapGroupsMapping.java
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/docs/src/documentation/content/xdocs/hdfs_permissions_guide.xml
          Show
          Hudson added a comment - Integrated in Hadoop-Hdfs-trunk-Commit #1979 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk-Commit/1979/ ) HADOOP-8121 . Active Directory Group Mapping Service. Contributed by Jonathan Natkins. (Revision 1302740) Result = SUCCESS atm : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1302740 Files : /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestLdapGroupsMapping.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/docs/src/documentation/content/xdocs/hdfs_permissions_guide.xml
          Hide
          Aaron T. Myers added a comment -

          I've just committed this to trunk and branch-0.23.

          Thanks a lot for the contribution, Natty!

          Show
          Aaron T. Myers added a comment - I've just committed this to trunk and branch-0.23. Thanks a lot for the contribution, Natty!
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Common-trunk-Commit #1905 (See https://builds.apache.org/job/Hadoop-Common-trunk-Commit/1905/)
          HADOOP-8121. Active Directory Group Mapping Service. Contributed by Jonathan Natkins. (Revision 1302740)

          Result = SUCCESS
          atm : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1302740
          Files :

          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestLdapGroupsMapping.java
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/docs/src/documentation/content/xdocs/hdfs_permissions_guide.xml
          Show
          Hudson added a comment - Integrated in Hadoop-Common-trunk-Commit #1905 (See https://builds.apache.org/job/Hadoop-Common-trunk-Commit/1905/ ) HADOOP-8121 . Active Directory Group Mapping Service. Contributed by Jonathan Natkins. (Revision 1302740) Result = SUCCESS atm : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1302740 Files : /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestLdapGroupsMapping.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/docs/src/documentation/content/xdocs/hdfs_permissions_guide.xml
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Hdfs-0.23-Commit #697 (See https://builds.apache.org/job/Hadoop-Hdfs-0.23-Commit/697/)
          HADOOP-8121. Active Directory Group Mapping Service. Contributed by Jonathan Natkins. (Revision 1302742)

          Result = SUCCESS
          atm : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1302742
          Files :

          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestLdapGroupsMapping.java
          • /hadoop/common/branches/branch-0.23/hadoop-hdfs-project/hadoop-hdfs/src/main/docs/src/documentation/content/xdocs/hdfs_permissions_guide.xml
          Show
          Hudson added a comment - Integrated in Hadoop-Hdfs-0.23-Commit #697 (See https://builds.apache.org/job/Hadoop-Hdfs-0.23-Commit/697/ ) HADOOP-8121 . Active Directory Group Mapping Service. Contributed by Jonathan Natkins. (Revision 1302742) Result = SUCCESS atm : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1302742 Files : /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestLdapGroupsMapping.java /hadoop/common/branches/branch-0.23/hadoop-hdfs-project/hadoop-hdfs/src/main/docs/src/documentation/content/xdocs/hdfs_permissions_guide.xml
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Common-0.23-Commit #706 (See https://builds.apache.org/job/Hadoop-Common-0.23-Commit/706/)
          HADOOP-8121. Active Directory Group Mapping Service. Contributed by Jonathan Natkins. (Revision 1302742)

          Result = SUCCESS
          atm : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1302742
          Files :

          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestLdapGroupsMapping.java
          • /hadoop/common/branches/branch-0.23/hadoop-hdfs-project/hadoop-hdfs/src/main/docs/src/documentation/content/xdocs/hdfs_permissions_guide.xml
          Show
          Hudson added a comment - Integrated in Hadoop-Common-0.23-Commit #706 (See https://builds.apache.org/job/Hadoop-Common-0.23-Commit/706/ ) HADOOP-8121 . Active Directory Group Mapping Service. Contributed by Jonathan Natkins. (Revision 1302742) Result = SUCCESS atm : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1302742 Files : /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestLdapGroupsMapping.java /hadoop/common/branches/branch-0.23/hadoop-hdfs-project/hadoop-hdfs/src/main/docs/src/documentation/content/xdocs/hdfs_permissions_guide.xml
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Mapreduce-trunk-Commit #1913 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Commit/1913/)
          HADOOP-8121. Active Directory Group Mapping Service. Contributed by Jonathan Natkins. (Revision 1302740)

          Result = ABORTED
          atm : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1302740
          Files :

          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestLdapGroupsMapping.java
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/docs/src/documentation/content/xdocs/hdfs_permissions_guide.xml
          Show
          Hudson added a comment - Integrated in Hadoop-Mapreduce-trunk-Commit #1913 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Commit/1913/ ) HADOOP-8121 . Active Directory Group Mapping Service. Contributed by Jonathan Natkins. (Revision 1302740) Result = ABORTED atm : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1302740 Files : /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestLdapGroupsMapping.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/docs/src/documentation/content/xdocs/hdfs_permissions_guide.xml
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Mapreduce-0.23-Commit #713 (See https://builds.apache.org/job/Hadoop-Mapreduce-0.23-Commit/713/)
          HADOOP-8121. Active Directory Group Mapping Service. Contributed by Jonathan Natkins. (Revision 1302742)

          Result = ABORTED
          atm : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1302742
          Files :

          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestLdapGroupsMapping.java
          • /hadoop/common/branches/branch-0.23/hadoop-hdfs-project/hadoop-hdfs/src/main/docs/src/documentation/content/xdocs/hdfs_permissions_guide.xml
          Show
          Hudson added a comment - Integrated in Hadoop-Mapreduce-0.23-Commit #713 (See https://builds.apache.org/job/Hadoop-Mapreduce-0.23-Commit/713/ ) HADOOP-8121 . Active Directory Group Mapping Service. Contributed by Jonathan Natkins. (Revision 1302742) Result = ABORTED atm : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1302742 Files : /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestLdapGroupsMapping.java /hadoop/common/branches/branch-0.23/hadoop-hdfs-project/hadoop-hdfs/src/main/docs/src/documentation/content/xdocs/hdfs_permissions_guide.xml
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Mapreduce-0.23-Build #231 (See https://builds.apache.org/job/Hadoop-Mapreduce-0.23-Build/231/)
          HADOOP-8121. Active Directory Group Mapping Service. Contributed by Jonathan Natkins. (Revision 1302742)

          Result = FAILURE
          atm : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1302742
          Files :

          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestLdapGroupsMapping.java
          • /hadoop/common/branches/branch-0.23/hadoop-hdfs-project/hadoop-hdfs/src/main/docs/src/documentation/content/xdocs/hdfs_permissions_guide.xml
          Show
          Hudson added a comment - Integrated in Hadoop-Mapreduce-0.23-Build #231 (See https://builds.apache.org/job/Hadoop-Mapreduce-0.23-Build/231/ ) HADOOP-8121 . Active Directory Group Mapping Service. Contributed by Jonathan Natkins. (Revision 1302742) Result = FAILURE atm : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1302742 Files : /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestLdapGroupsMapping.java /hadoop/common/branches/branch-0.23/hadoop-hdfs-project/hadoop-hdfs/src/main/docs/src/documentation/content/xdocs/hdfs_permissions_guide.xml
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Mapreduce-trunk #1025 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1025/)
          HADOOP-8121. Active Directory Group Mapping Service. Contributed by Jonathan Natkins. (Revision 1302740)

          Result = SUCCESS
          atm : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1302740
          Files :

          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestLdapGroupsMapping.java
          • /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/docs/src/documentation/content/xdocs/hdfs_permissions_guide.xml
          Show
          Hudson added a comment - Integrated in Hadoop-Mapreduce-trunk #1025 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1025/ ) HADOOP-8121 . Active Directory Group Mapping Service. Contributed by Jonathan Natkins. (Revision 1302740) Result = SUCCESS atm : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1302740 Files : /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/LdapGroupsMapping.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestLdapGroupsMapping.java /hadoop/common/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/docs/src/documentation/content/xdocs/hdfs_permissions_guide.xml

            People

            • Assignee:
              Jonathan Natkins
              Reporter:
              Jonathan Natkins
            • Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development