Hadoop Common
  1. Hadoop Common
  2. HADOOP-9477

posixGroups support for LDAP groups mapping service

    Details

    • Type: Improvement Improvement
    • Status: Patch Available
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 2.0.4-alpha
    • Fix Version/s: 2.5.0
    • Component/s: None
    • Labels:
      None

      Description

      It would be nice to support posixGroups for LdapGroupsMapping service. Below is from current description for the provider:
      hadoop.security.group.mapping.ldap.search.filter.group:
      An additional filter to use when searching for LDAP groups. This should be
      changed when resolving groups against a non-Active Directory installation.
      posixGroups are currently not a supported group class.

      1. HADOOP-9477.patch
        9 kB
        Dapeng Sun
      2. HADOOP-9477.patch
        9 kB
        Dapeng Sun

        Activity

        Kai Zheng created issue -
        Hide
        Kai Zheng added a comment -

        Here's a sample account and group.

        posixGroup group:

        dn: cn=ldapgroup,ou=Group,dc=example,dc=com
        objectClass: posixGroup
        objectClass: top
        cn: ldapgroup
        gidNumber: 700
        ...

        posixAccount account:

        dn: uid=ldapuser,ou=People,dc=example,dc=com
        uid: ldapuser
        cn: ldapuser
        objectClass: account
        objectClass: posixAccount
        loginShell: /bin/bash
        uidNumber: 600
        gidNumber: 700
        homeDirectory: /home/ldapuser
        ...

        Show
        Kai Zheng added a comment - Here's a sample account and group. posixGroup group: dn: cn=ldapgroup,ou=Group,dc=example,dc=com objectClass: posixGroup objectClass: top cn: ldapgroup gidNumber: 700 ... posixAccount account: dn: uid=ldapuser,ou=People,dc=example,dc=com uid: ldapuser cn: ldapuser objectClass: account objectClass: posixAccount loginShell: /bin/bash uidNumber: 600 gidNumber: 700 homeDirectory: /home/ldapuser ...
        Hide
        Daryn Sharp added a comment -

        The LdapGroupsMapping is highly configurable, so is there actually a bug in it? Untested, but something like the following config values should work:

        hadoop.security.group.mapping.ldap.search.filter.user  = (&(objectClass=posixAccount)(uid={0}))
        hadoop.security.group.mapping.ldap.search.filter.group = (objectClass=posixGroup)
        hadoop.security.group.mapping.ldap.search.attr.member  = gidNumber
        
        Show
        Daryn Sharp added a comment - The LdapGroupsMapping is highly configurable, so is there actually a bug in it? Untested, but something like the following config values should work: hadoop.security.group.mapping.ldap.search.filter.user = (&(objectClass=posixAccount)(uid={0})) hadoop.security.group.mapping.ldap.search.filter.group = (objectClass=posixGroup) hadoop.security.group.mapping.ldap.search.attr.member = gidNumber
        Hide
        Kai Zheng added a comment -

        Hi Daryn,

        Thanks for your comment.

        For posixGroups, possible procedure can be:
        userDn = ldap_lookup( (&(objectClass=posixAccount)(uid=

        {0})) )
        gidNumberX = userDn.gidNumber
        groupDn = ldap_lookup((&(objectClass=posixGroup)(gidNumber={0}

        )), gidNumberX )
        Then groupDn is the expected group for that user.
        Note here one user may have more groups.

        For the member attribute, it can only be used for group like:
        objectClass: XGroup
        groupName: testgroup
        member: user1
        member: user2

        For such group the procedure is something like below as current LdapGroupsMapping does:
        userDn = ...
        username = userDn.name
        groupDn = ldap_lookup(((&(objectClass=XGroup)(member=

        {0}

        )), username)
        Then groupDn is the expected group for that user.

        As you can see the procedure for posixGroups is different from current implementation. That’s why it requires extra effort.

        Show
        Kai Zheng added a comment - Hi Daryn, Thanks for your comment. For posixGroups, possible procedure can be: userDn = ldap_lookup( (&(objectClass=posixAccount)(uid= {0})) ) gidNumberX = userDn.gidNumber groupDn = ldap_lookup((&(objectClass=posixGroup)(gidNumber={0} )), gidNumberX ) Then groupDn is the expected group for that user. Note here one user may have more groups. For the member attribute, it can only be used for group like: objectClass: XGroup groupName: testgroup member: user1 member: user2 … For such group the procedure is something like below as current LdapGroupsMapping does: userDn = ... username = userDn.name groupDn = ldap_lookup(((&(objectClass=XGroup)(member= {0} )), username) Then groupDn is the expected group for that user. As you can see the procedure for posixGroups is different from current implementation. That’s why it requires extra effort.
        Dapeng Sun made changes -
        Field Original Value New Value
        Status Open [ 1 ] Patch Available [ 10002 ]
        Affects Version/s 2.0.4-alpha [ 12324135 ]
        Target Version/s 2.0.4-alpha [ 12324135 ]
        Dapeng Sun made changes -
        Attachment HADOOP-9477.patch [ 12581825 ]
        Hide
        Dapeng Sun added a comment -

        Hi,Kai

        As you note, regarding posix account we also need to consider multiple groups. We can use memberUid against posixGroups to get more groups. Thus the overall procedure would be:
        userDn = ldap_lookup( (&(objectClass=posixAccount)(cn=

        {0})), userName)

        gidNumber = userDn.gidNumber
        uidNumber = userDn.uidNumber
        groupDnList= ldap_lookup((&(objectClass=posixGroup)(|(gidNumber={0}

        )(memberUid=

        {1}

        )), [gidNumber, uidNumber])

        For detail, please see my patch.

        Show
        Dapeng Sun added a comment - Hi,Kai As you note, regarding posix account we also need to consider multiple groups. We can use memberUid against posixGroups to get more groups. Thus the overall procedure would be: userDn = ldap_lookup( (&(objectClass=posixAccount)(cn= {0})), userName) gidNumber = userDn.gidNumber uidNumber = userDn.uidNumber groupDnList= ldap_lookup((&(objectClass=posixGroup)(|(gidNumber={0} )(memberUid= {1} )), [gidNumber, uidNumber] ) For detail, please see my patch.
        Dapeng Sun made changes -
        Attachment HADOOP-9477.patch [ 12581825 ]
        Dapeng Sun made changes -
        Attachment HADOOP-9477.patch [ 12581855 ]
        Dapeng Sun made changes -
        Attachment HADOOP-9477.patch [ 12581898 ]
        Hide
        Hadoop QA added a comment -

        +1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12581898/HADOOP-9477.patch
        against trunk revision .

        +1 @author. The patch does not contain any @author tags.

        +1 tests included. The patch appears to include 1 new or modified test files.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 javadoc. The javadoc tool did not generate any warning messages.

        +1 eclipse:eclipse. The patch built with eclipse:eclipse.

        +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        +1 core tests. The patch passed unit tests in hadoop-common-project/hadoop-common.

        +1 contrib tests. The patch passed contrib unit tests.

        Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/2517//testReport/
        Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/2517//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - +1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12581898/HADOOP-9477.patch against trunk revision . +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 1 new or modified test files. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 javadoc . The javadoc tool did not generate any warning messages. +1 eclipse:eclipse . The patch built with eclipse:eclipse. +1 findbugs . The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. +1 core tests . The patch passed unit tests in hadoop-common-project/hadoop-common. +1 contrib tests . The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/2517//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/2517//console This message is automatically generated.
        Arun C Murthy made changes -
        Fix Version/s 2.3.0 [ 12324587 ]
        Fix Version/s 2.1.0-beta [ 12324030 ]
        Arun C Murthy made changes -
        Fix Version/s 2.3.0 [ 12325254 ]
        Fix Version/s 2.4.0 [ 12324587 ]
        Hide
        Hadoop QA added a comment -

        +1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12581898/HADOOP-9477.patch
        against trunk revision .

        +1 @author. The patch does not contain any @author tags.

        +1 tests included. The patch appears to include 1 new or modified test files.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 javadoc. The javadoc tool did not generate any warning messages.

        +1 eclipse:eclipse. The patch built with eclipse:eclipse.

        +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        +1 core tests. The patch passed unit tests in hadoop-common-project/hadoop-common.

        +1 contrib tests. The patch passed contrib unit tests.

        Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/3493//testReport/
        Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/3493//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - +1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12581898/HADOOP-9477.patch against trunk revision . +1 @author . The patch does not contain any @author tags. +1 tests included . The patch appears to include 1 new or modified test files. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 javadoc . The javadoc tool did not generate any warning messages. +1 eclipse:eclipse . The patch built with eclipse:eclipse. +1 findbugs . The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. +1 core tests . The patch passed unit tests in hadoop-common-project/hadoop-common. +1 contrib tests . The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/3493//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/3493//console This message is automatically generated.
        Arun C Murthy made changes -
        Fix Version/s 2.4.0 [ 12326144 ]
        Fix Version/s 2.3.0 [ 12325254 ]
        Arun C Murthy made changes -
        Fix Version/s 2.5.0 [ 12326263 ]
        Fix Version/s 2.4.0 [ 12326144 ]

          People

          • Assignee:
            Kai Zheng
            Reporter:
            Kai Zheng
          • Votes:
            2 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

            • Created:
              Updated:

              Time Tracking

              Estimated:
              Original Estimate - 168h
              168h
              Remaining:
              Remaining Estimate - 168h
              168h
              Logged:
              Time Spent - Not Specified
              Not Specified

                Development