Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-14513

Enhance custom query feature in LDAP atn to support resultset of ldap groups

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.0.0
    • Fix Version/s: 2.1.1, 2.2.0
    • Component/s: HiveServer2
    • Labels:
      None

      Description

      LDAP Authenticator can be configured to use a result set from a LDAP query to authenticate. However, is it expected that this LDAP query would only result a set of users (aka full DNs for the users in LDAP).
      However, its not always straightforward to be able to author queries that return users. For example, say you would like to allow "all users from group1 and group2" to be authenticated. The LDAP query has to return a union of all members of the group1 and group2.

      For example, one common configuration is that groups contain a list of its users
      "dn: uid=group1,ou=Groups,dc=example,dc=com",
      "distinguishedName: uid=group1,ou=Groups,dc=example,dc=com",
      "objectClass: top",
      "objectClass: groupOfNames",
      "objectClass: ExtensibleObject",
      "cn: group1",
      "ou: Groups",
      "sn: group1",
      "member: uid=user1,ou=People,dc=example,dc=com",

      The query
      (&(objectClass=groupOfNames)(|(cn=group1)(cn=group2)))
      will return the entries
      uid=group1,ou=Groups,dc=example,dc=com
      uid=group2,ou=Groups,dc=example,dc=com

      but there is no means to form a query that would return just the values of "member" attributes. (ldap client tools are able to do by filtering out the attributes on these entries.

      So it will be useful to have such support to be able to specify queries that return groups.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ngangam Naveen Gangam
                Reporter:
                ngangam Naveen Gangam
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: