Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-15076

Improve scalability of LDAP authentication provider group filter

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.1.0
    • Fix Version/s: 2.3.0
    • Component/s: Authentication
    • Labels:
      None

      Description

      Current implementation uses following algorithm:

      1. For a given user find all groups that user is a member of. (A list of LDAP groups is constructed as a result of that request)
      2. Match this list of groups with provided group filter.

      Time/Memory complexity of this approach is O(N) on client side, where N – is a number of groups the user has membership in. On a large directory (800+ groups per user) we can observe up to 2x performance degradation and failures because of size of LDAP response (LDAP: error code 4 - Sizelimit Exceeded).

      Some Directory Services (Microsoft Active Directory for instance) provide a virtual attribute for User Object that contains a list of groups that user belongs to. This attribute can be used to quickly determine whether this user passes or fails the group filter.

        Attachments

        1. HIVE-15076.1.patch
          43 kB
          Illya Yalovyy
        2. HIVE-15076.2.patch
          43 kB
          Illya Yalovyy
        3. HIVE-15076.3.patch
          43 kB
          Illya Yalovyy
        4. HIVE-15076.4.patch
          45 kB
          Illya Yalovyy
        5. HIVE-15076.5.patch
          45 kB
          Illya Yalovyy

          Issue Links

            Activity

              People

              • Assignee:
                yalovyyi Illya Yalovyy
                Reporter:
                yalovyyi Illya Yalovyy
              • Votes:
                1 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: