org.apache.hadoop.security

Class LdapGroupsMapping

java.lang.Object

org.apache.hadoop.security.LdapGroupsMapping

All Implemented Interfaces:

org.apache.hadoop.conf.Configurable, org.apache.hadoop.security.GroupMappingServiceProvider

@InterfaceAudience.LimitedPrivate(value={"HDFS","MapReduce"})
 @InterfaceStability.Evolving
public class LdapGroupsMapping
extends Object
implements org.apache.hadoop.security.GroupMappingServiceProvider, org.apache.hadoop.conf.Configurable

An implementation of GroupMappingServiceProvider which connects directly to an LDAP server for determining group membership. This provider should be used only if it is necessary to map users to groups that reside exclusively in an Active Directory or LDAP installation. The common case for a Hadoop installation will be that LDAP users and groups materialized on the Unix servers, and for an installation like that, ShellBasedUnixGroupsMapping is preferred. However, in cases where those users and groups aren't materialized in Unix, but need to be used for access control, this class may be used to communicate directly with the LDAP server. It is important to note that resolving group mappings will incur network traffic, and may cause degraded performance, although user-group mappings will be cached via the infrastructure provided by Groups. This implementation does not support configurable search limits. If a filter is used for searching users or groups which returns more results than are allowed by the server, an exception will be thrown. The implementation attempts to resolve group hierarchies, to a configurable limit. If the limit is 0, in order to be considered a member of a group, the user must be an explicit member in LDAP. Otherwise, it will traverse the group hierarchy n levels up.

Field Summary

Fields

Modifier and Type	Field and Description
static String	BASE_DN_DEFAULT
static String	BASE_DN_KEY
static String	BIND_PASSWORD_DEFAULT
static String	BIND_PASSWORD_FILE_DEFAULT
static String	BIND_PASSWORD_FILE_KEY
static String	BIND_PASSWORD_KEY
static String	BIND_USER_DEFAULT
static String	BIND_USER_KEY
static String	CONNECTION_TIMEOUT
static int	CONNECTION_TIMEOUT_DEFAULT
static String	DIRECTORY_SEARCH_TIMEOUT
static int	DIRECTORY_SEARCH_TIMEOUT_DEFAULT
static String	GROUP_BASE_DN_KEY
static int	GROUP_HIERARCHY_LEVELS_DEFAULT
static String	GROUP_HIERARCHY_LEVELS_KEY
static String	GROUP_MEMBERSHIP_ATTR_DEFAULT
static String	GROUP_MEMBERSHIP_ATTR_KEY
static String	GROUP_NAME_ATTR_DEFAULT
static String	GROUP_NAME_ATTR_KEY
static String	GROUP_SEARCH_FILTER_DEFAULT
static String	GROUP_SEARCH_FILTER_KEY
static String	LDAP_CONFIG_PREFIX
static String	LDAP_KEYSTORE_DEFAULT
static String	LDAP_KEYSTORE_KEY
static String	LDAP_KEYSTORE_PASSWORD_DEFAULT
static String	LDAP_KEYSTORE_PASSWORD_FILE_DEFAULT
static String	LDAP_KEYSTORE_PASSWORD_FILE_KEY
static String	LDAP_KEYSTORE_PASSWORD_KEY
static String	LDAP_TRUSTSTORE_KEY File path to the location of the SSL truststore to use
static String	LDAP_TRUSTSTORE_PASSWORD_FILE_KEY The path to a file containing the password for the LDAP SSL truststore
static String	LDAP_TRUSTSTORE_PASSWORD_KEY The key of the credential entry containing the password for the LDAP SSL truststore
static String	LDAP_URL_DEFAULT
static String	LDAP_URL_KEY
static Boolean	LDAP_USE_SSL_DEFAULT
static String	LDAP_USE_SSL_KEY
static String	MEMBEROF_ATTR_DEFAULT
static String	MEMBEROF_ATTR_KEY
static String	POSIX_ACCOUNT
static String	POSIX_GID_ATTR_DEFAULT
static String	POSIX_GID_ATTR_KEY
static String	POSIX_GROUP
static String	POSIX_UID_ATTR_DEFAULT
static String	POSIX_UID_ATTR_KEY
static String	READ_TIMEOUT
static int	READ_TIMEOUT_DEFAULT
static int	RECONNECT_RETRY_COUNT
static String	USER_BASE_DN_KEY
static String	USER_SEARCH_FILTER_DEFAULT
static String	USER_SEARCH_FILTER_KEY

Fields inherited from interface org.apache.hadoop.security.GroupMappingServiceProvider

GROUP_MAPPING_CONFIG_PREFIX

Constructor Summary

Constructors

Constructor and Description
LdapGroupsMapping()

Method Summary

Modifier and Type	Method and Description
void	cacheGroupsAdd(List<String> groups) Adds groups to cache, no need to do that for this provider
void	cacheGroupsRefresh() Caches groups, no need to do that for this provider
org.apache.hadoop.conf.Configuration	getConf()
List<String>	getGroups(String user) Returns list of groups for a user.
void	setConf(org.apache.hadoop.conf.Configuration conf)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

LDAP_CONFIG_PREFIX

public static final String LDAP_CONFIG_PREFIX

See Also:

Constant Field Values

LDAP_URL_KEY

public static final String LDAP_URL_KEY

See Also:

Constant Field Values

LDAP_URL_DEFAULT

public static final String LDAP_URL_DEFAULT

See Also:

Constant Field Values

LDAP_USE_SSL_KEY

public static final String LDAP_USE_SSL_KEY

See Also:

Constant Field Values

LDAP_USE_SSL_DEFAULT

public static final Boolean LDAP_USE_SSL_DEFAULT

LDAP_KEYSTORE_KEY

public static final String LDAP_KEYSTORE_KEY

See Also:

Constant Field Values

LDAP_KEYSTORE_DEFAULT

public static final String LDAP_KEYSTORE_DEFAULT

See Also:

Constant Field Values

LDAP_KEYSTORE_PASSWORD_KEY

public static final String LDAP_KEYSTORE_PASSWORD_KEY

See Also:

Constant Field Values

LDAP_KEYSTORE_PASSWORD_DEFAULT

public static final String LDAP_KEYSTORE_PASSWORD_DEFAULT

See Also:

Constant Field Values

LDAP_KEYSTORE_PASSWORD_FILE_KEY

public static final String LDAP_KEYSTORE_PASSWORD_FILE_KEY

See Also:

Constant Field Values

LDAP_KEYSTORE_PASSWORD_FILE_DEFAULT

public static final String LDAP_KEYSTORE_PASSWORD_FILE_DEFAULT

See Also:

Constant Field Values

LDAP_TRUSTSTORE_KEY

public static final String LDAP_TRUSTSTORE_KEY

File path to the location of the SSL truststore to use

See Also:

Constant Field Values

LDAP_TRUSTSTORE_PASSWORD_KEY

public static final String LDAP_TRUSTSTORE_PASSWORD_KEY

The key of the credential entry containing the password for the LDAP SSL truststore

See Also:

Constant Field Values

LDAP_TRUSTSTORE_PASSWORD_FILE_KEY

public static final String LDAP_TRUSTSTORE_PASSWORD_FILE_KEY

The path to a file containing the password for the LDAP SSL truststore

See Also:

Constant Field Values

BIND_USER_KEY

public static final String BIND_USER_KEY

See Also:

Constant Field Values

BIND_USER_DEFAULT

public static final String BIND_USER_DEFAULT

See Also:

Constant Field Values

BIND_PASSWORD_KEY

public static final String BIND_PASSWORD_KEY

See Also:

Constant Field Values

BIND_PASSWORD_DEFAULT

public static final String BIND_PASSWORD_DEFAULT

See Also:

Constant Field Values

BIND_PASSWORD_FILE_KEY

public static final String BIND_PASSWORD_FILE_KEY

See Also:

Constant Field Values

BIND_PASSWORD_FILE_DEFAULT

public static final String BIND_PASSWORD_FILE_DEFAULT

See Also:

Constant Field Values

BASE_DN_KEY

public static final String BASE_DN_KEY

See Also:

Constant Field Values

BASE_DN_DEFAULT

public static final String BASE_DN_DEFAULT

See Also:

Constant Field Values

USER_BASE_DN_KEY

public static final String USER_BASE_DN_KEY

See Also:

Constant Field Values

GROUP_BASE_DN_KEY

public static final String GROUP_BASE_DN_KEY

See Also:

Constant Field Values

USER_SEARCH_FILTER_KEY

public static final String USER_SEARCH_FILTER_KEY

See Also:

Constant Field Values

USER_SEARCH_FILTER_DEFAULT

public static final String USER_SEARCH_FILTER_DEFAULT

See Also:

Constant Field Values

GROUP_SEARCH_FILTER_KEY

public static final String GROUP_SEARCH_FILTER_KEY

See Also:

Constant Field Values

GROUP_SEARCH_FILTER_DEFAULT

public static final String GROUP_SEARCH_FILTER_DEFAULT

See Also:

Constant Field Values

MEMBEROF_ATTR_KEY

public static final String MEMBEROF_ATTR_KEY

See Also:

Constant Field Values

MEMBEROF_ATTR_DEFAULT

public static final String MEMBEROF_ATTR_DEFAULT

See Also:

Constant Field Values

GROUP_MEMBERSHIP_ATTR_KEY

public static final String GROUP_MEMBERSHIP_ATTR_KEY

See Also:

Constant Field Values

GROUP_MEMBERSHIP_ATTR_DEFAULT

public static final String GROUP_MEMBERSHIP_ATTR_DEFAULT

See Also:

Constant Field Values

GROUP_NAME_ATTR_KEY

public static final String GROUP_NAME_ATTR_KEY

See Also:

Constant Field Values

GROUP_NAME_ATTR_DEFAULT

public static final String GROUP_NAME_ATTR_DEFAULT

See Also:

Constant Field Values

GROUP_HIERARCHY_LEVELS_KEY

public static final String GROUP_HIERARCHY_LEVELS_KEY

See Also:

Constant Field Values

GROUP_HIERARCHY_LEVELS_DEFAULT

public static final int GROUP_HIERARCHY_LEVELS_DEFAULT

See Also:

Constant Field Values

POSIX_UID_ATTR_KEY

public static final String POSIX_UID_ATTR_KEY

See Also:

Constant Field Values

POSIX_UID_ATTR_DEFAULT

public static final String POSIX_UID_ATTR_DEFAULT

See Also:

Constant Field Values

POSIX_GID_ATTR_KEY

public static final String POSIX_GID_ATTR_KEY

See Also:

Constant Field Values

POSIX_GID_ATTR_DEFAULT

public static final String POSIX_GID_ATTR_DEFAULT

See Also:

Constant Field Values

POSIX_GROUP

public static final String POSIX_GROUP

See Also:

Constant Field Values

POSIX_ACCOUNT

public static final String POSIX_ACCOUNT

See Also:

Constant Field Values

DIRECTORY_SEARCH_TIMEOUT

public static final String DIRECTORY_SEARCH_TIMEOUT

See Also:

Constant Field Values

DIRECTORY_SEARCH_TIMEOUT_DEFAULT

public static final int DIRECTORY_SEARCH_TIMEOUT_DEFAULT

See Also:

Constant Field Values

CONNECTION_TIMEOUT

public static final String CONNECTION_TIMEOUT

See Also:

Constant Field Values

CONNECTION_TIMEOUT_DEFAULT

public static final int CONNECTION_TIMEOUT_DEFAULT

See Also:

Constant Field Values

READ_TIMEOUT

public static final String READ_TIMEOUT

See Also:

Constant Field Values

READ_TIMEOUT_DEFAULT

public static final int READ_TIMEOUT_DEFAULT

See Also:

Constant Field Values

RECONNECT_RETRY_COUNT

public static final int RECONNECT_RETRY_COUNT

See Also:

Constant Field Values

Constructor Detail

LdapGroupsMapping

public LdapGroupsMapping()

Method Detail

getGroups

public List<String> getGroups(String user)

Returns list of groups for a user. The LdapCtx which underlies the DirContext object is not thread-safe, so we need to block around this whole method. The caching infrastructure will ensure that performance stays in an acceptable range.

Specified by:

getGroups in interface org.apache.hadoop.security.GroupMappingServiceProvider

Parameters:

user - get groups for this user

Returns:

list of groups for a given user

cacheGroupsRefresh

public void cacheGroupsRefresh()
                        throws IOException

Caches groups, no need to do that for this provider

Specified by:

cacheGroupsRefresh in interface org.apache.hadoop.security.GroupMappingServiceProvider

Throws:

IOException

cacheGroupsAdd

public void cacheGroupsAdd(List<String> groups)
                    throws IOException

Adds groups to cache, no need to do that for this provider

Specified by:

cacheGroupsAdd in interface org.apache.hadoop.security.GroupMappingServiceProvider

Parameters:

groups - unused

Throws:

IOException

getConf

public org.apache.hadoop.conf.Configuration getConf()

Specified by:

getConf in interface org.apache.hadoop.conf.Configurable

setConf

public void setConf(org.apache.hadoop.conf.Configuration conf)

Specified by:

setConf in interface org.apache.hadoop.conf.Configurable