[
https://issues.apache.org/jira/browse/HADOOP-8943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14040627#comment-14040627
]
Kai Zheng commented on HADOOP-8943:
-----------------------------------
Hi Brandon,
I updated the patch as discussed above.
1. To simplify the patch, removed the domain support. This would be much safer,
and also avoided adding another interface;
2. Added another property, to indicate whether combining all the groups from
all the providers or not.
hadoop.security.group.mapping.providers.combined: true/false
3. I checked CommonCofigurationKeysPublic, unfortunately it locates in
unexpected package.
4. Updated the configuration sample in core-default.xml to clarify about how to
configure ldap provider in such composite groups mapping provider.
Would you help review once more? Thanks.
> Support multiple group mapping providers
> ----------------------------------------
>
> Key: HADOOP-8943
> URL: https://issues.apache.org/jira/browse/HADOOP-8943
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Kai Zheng
> Assignee: Kai Zheng
> Fix For: 2.5.0
>
> Attachments: HADOOP-8943.patch, HADOOP-8943.patch, HADOOP-8943.patch,
> hadoop-8943-v2.patch
>
> Original Estimate: 504h
> Remaining Estimate: 504h
>
> Discussed with Natty about LdapGroupMapping, we need to improve it so that:
> 1. It's possible to do different group mapping for different
> users/principals. For example, AD user should go to LdapGroupMapping service
> for group, but service principals such as hdfs, mapred can still use the
> default one ShellBasedUnixGroupsMapping;
> 2. Multiple ADs can be supported to do LdapGroupMapping;
> 3. It's possible to configure what kind of users/principals (regarding
> domain/realm is an option) should use which group mapping service/mechanism.
> 4. It's possible to configure and combine multiple existing mapping providers
> without writing codes implementing new one.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
