Package org.apache.hadoop.security

Class LdapGroupsMapping

java.lang.Object

org.apache.hadoop.security.LdapGroupsMapping

All Implemented Interfaces:

Configurable, GroupMappingServiceProvider

Direct Known Subclasses:

RuleBasedLdapGroupsMapping

@LimitedPrivate({"HDFS","MapReduce"})
@Evolving
public class LdapGroupsMapping
extends java.lang.Object
implements GroupMappingServiceProvider, Configurable

An implementation of GroupMappingServiceProvider which connects directly to an LDAP server for determining group membership. This provider should be used only if it is necessary to map users to groups that reside exclusively in an Active Directory or LDAP installation. The common case for a Hadoop installation will be that LDAP users and groups materialized on the Unix servers, and for an installation like that, ShellBasedUnixGroupsMapping is preferred. However, in cases where those users and groups aren't materialized in Unix, but need to be used for access control, this class may be used to communicate directly with the LDAP server. It is important to note that resolving group mappings will incur network traffic, and may cause degraded performance, although user-group mappings will be cached via the infrastructure provided by Groups. This implementation does not support configurable search limits. If a filter is used for searching users or groups which returns more results than are allowed by the server, an exception will be thrown. The implementation attempts to resolve group hierarchies, to a configurable limit. If the limit is 0, in order to be considered a member of a group, the user must be an explicit member in LDAP. Otherwise, it will traverse the group hierarchy n levels up.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	LdapGroupsMapping.LdapSslSocketFactory	An private internal socket factory used to create SSL sockets with custom configuration.

Field Summary

Fields

Modifier and Type	Field	Description
static java.lang.String	BASE_DN_DEFAULT
static java.lang.String	BASE_DN_KEY
static java.lang.String	BIND_PASSWORD_ALIAS_DEFAULT
static java.lang.String	BIND_PASSWORD_ALIAS_KEY
static java.lang.String	BIND_PASSWORD_ALIAS_SUFFIX
static java.lang.String	BIND_PASSWORD_DEFAULT
static java.lang.String	BIND_PASSWORD_FILE_DEFAULT
static java.lang.String	BIND_PASSWORD_FILE_KEY
static java.lang.String	BIND_PASSWORD_FILE_SUFFIX
static java.lang.String	BIND_PASSWORD_KEY
static java.lang.String	BIND_PASSWORD_SUFFIX
static java.lang.String	BIND_USER_DEFAULT
static java.lang.String	BIND_USER_KEY
static java.lang.String	BIND_USER_SUFFIX
static java.lang.String	BIND_USERS_KEY
static java.lang.String	CONNECTION_TIMEOUT
static int	CONNECTION_TIMEOUT_DEFAULT
static java.lang.String	DIRECTORY_SEARCH_TIMEOUT
static int	DIRECTORY_SEARCH_TIMEOUT_DEFAULT
static java.lang.String	GROUP_BASE_DN_KEY
static int	GROUP_HIERARCHY_LEVELS_DEFAULT
static java.lang.String	GROUP_HIERARCHY_LEVELS_KEY
static java.lang.String	GROUP_MEMBERSHIP_ATTR_DEFAULT
static java.lang.String	GROUP_MEMBERSHIP_ATTR_KEY
static java.lang.String	GROUP_NAME_ATTR_DEFAULT
static java.lang.String	GROUP_NAME_ATTR_KEY
static java.lang.String	GROUP_SEARCH_FILTER_DEFAULT
static java.lang.String	GROUP_SEARCH_FILTER_KEY
static java.lang.String	GROUP_SEARCH_FILTER_PATTERN
static java.lang.String	GROUP_SEARCH_FILTER_PATTERN_DEFAULT
static java.lang.String	LDAP_CONFIG_PREFIX
static java.lang.String	LDAP_CTX_FACTORY_CLASS_DEFAULT
static java.lang.String	LDAP_CTX_FACTORY_CLASS_KEY
static java.lang.String	LDAP_KEYSTORE_DEFAULT
static java.lang.String	LDAP_KEYSTORE_KEY
static java.lang.String	LDAP_KEYSTORE_PASSWORD_DEFAULT
static java.lang.String	LDAP_KEYSTORE_PASSWORD_FILE_DEFAULT
static java.lang.String	LDAP_KEYSTORE_PASSWORD_FILE_KEY
static java.lang.String	LDAP_KEYSTORE_PASSWORD_KEY
static int	LDAP_NUM_ATTEMPTS_BEFORE_FAILOVER_DEFAULT
static java.lang.String	LDAP_NUM_ATTEMPTS_BEFORE_FAILOVER_KEY
static int	LDAP_NUM_ATTEMPTS_DEFAULT
static java.lang.String	LDAP_NUM_ATTEMPTS_KEY
static java.lang.String	LDAP_TRUSTSTORE_KEY	File path to the location of the SSL truststore to use
static java.lang.String	LDAP_TRUSTSTORE_PASSWORD_FILE_KEY	The path to a file containing the password for the LDAP SSL truststore
static java.lang.String	LDAP_TRUSTSTORE_PASSWORD_KEY	The key of the credential entry containing the password for the LDAP SSL truststore
static java.lang.String	LDAP_URL_DEFAULT
static java.lang.String	LDAP_URL_KEY
static java.lang.Boolean	LDAP_USE_SSL_DEFAULT
static java.lang.String	LDAP_USE_SSL_KEY
static java.lang.String	MEMBEROF_ATTR_DEFAULT
static java.lang.String	MEMBEROF_ATTR_KEY
static java.lang.String	POSIX_ACCOUNT
static java.lang.String	POSIX_GID_ATTR_DEFAULT
static java.lang.String	POSIX_GID_ATTR_KEY
static java.lang.String	POSIX_GROUP
static java.lang.String	POSIX_UID_ATTR_DEFAULT
static java.lang.String	POSIX_UID_ATTR_KEY
static java.lang.String	READ_TIMEOUT
static int	READ_TIMEOUT_DEFAULT
static java.lang.String	USER_BASE_DN_KEY
static java.lang.String	USER_SEARCH_FILTER_DEFAULT
static java.lang.String	USER_SEARCH_FILTER_KEY

Fields inherited from interface org.apache.hadoop.security.GroupMappingServiceProvider

GROUP_MAPPING_CONFIG_PREFIX

Constructor Summary

Constructors

Constructor	Description
LdapGroupsMapping()

Method Summary

Modifier and Type	Method	Description
void	cacheGroupsAdd(java.util.List<java.lang.String> groups)	Adds groups to cache, no need to do that for this provider
void	cacheGroupsRefresh()	Caches groups, no need to do that for this provider
protected boolean	failover(int attemptsMadeWithSameLdap, int maxAttemptsBeforeFailover)	Check whether we should fail over to the next LDAP server.
Configuration	getConf()	Return the configuration used by this object.
java.util.List<java.lang.String>	getGroups(java.lang.String user)	Returns list of groups for a user.
java.util.Set<java.lang.String>	getGroupsSet(java.lang.String user)	Get all various group memberships of a given user.
java.util.Iterator<java.lang.String>	getLdapUrls()	Get URLs of configured LDAP servers.
void	setConf(Configuration conf)	Set the configuration to be used by this object.
protected void	switchBindUser(javax.naming.AuthenticationException e)	Switch to the next available user to bind to.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

LDAP_CONFIG_PREFIX

public static final java.lang.String LDAP_CONFIG_PREFIX

See Also:

Constant Field Values

LDAP_URL_KEY

public static final java.lang.String LDAP_URL_KEY

See Also:

Constant Field Values

LDAP_URL_DEFAULT

public static final java.lang.String LDAP_URL_DEFAULT

See Also:

Constant Field Values

LDAP_USE_SSL_KEY

public static final java.lang.String LDAP_USE_SSL_KEY

See Also:

Constant Field Values

LDAP_USE_SSL_DEFAULT

public static final java.lang.Boolean LDAP_USE_SSL_DEFAULT

LDAP_KEYSTORE_KEY

public static final java.lang.String LDAP_KEYSTORE_KEY

See Also:

Constant Field Values

LDAP_KEYSTORE_DEFAULT

public static final java.lang.String LDAP_KEYSTORE_DEFAULT

See Also:

Constant Field Values

LDAP_KEYSTORE_PASSWORD_KEY

public static final java.lang.String LDAP_KEYSTORE_PASSWORD_KEY

See Also:

Constant Field Values

LDAP_KEYSTORE_PASSWORD_DEFAULT

public static final java.lang.String LDAP_KEYSTORE_PASSWORD_DEFAULT

See Also:

Constant Field Values

LDAP_KEYSTORE_PASSWORD_FILE_KEY

public static final java.lang.String LDAP_KEYSTORE_PASSWORD_FILE_KEY

See Also:

Constant Field Values

LDAP_KEYSTORE_PASSWORD_FILE_DEFAULT

public static final java.lang.String LDAP_KEYSTORE_PASSWORD_FILE_DEFAULT

See Also:

Constant Field Values

LDAP_TRUSTSTORE_KEY

public static final java.lang.String LDAP_TRUSTSTORE_KEY

File path to the location of the SSL truststore to use

See Also:

Constant Field Values

LDAP_TRUSTSTORE_PASSWORD_KEY

public static final java.lang.String LDAP_TRUSTSTORE_PASSWORD_KEY

The key of the credential entry containing the password for the LDAP SSL truststore

See Also:

Constant Field Values

LDAP_TRUSTSTORE_PASSWORD_FILE_KEY

public static final java.lang.String LDAP_TRUSTSTORE_PASSWORD_FILE_KEY

The path to a file containing the password for the LDAP SSL truststore

See Also:

Constant Field Values

BIND_USERS_KEY

public static final java.lang.String BIND_USERS_KEY

See Also:

Constant Field Values

BIND_USER_SUFFIX

public static final java.lang.String BIND_USER_SUFFIX

See Also:

Constant Field Values

BIND_USER_KEY

public static final java.lang.String BIND_USER_KEY

See Also:

Constant Field Values

BIND_USER_DEFAULT

public static final java.lang.String BIND_USER_DEFAULT

See Also:

Constant Field Values

BIND_PASSWORD_SUFFIX

public static final java.lang.String BIND_PASSWORD_SUFFIX

See Also:

Constant Field Values

BIND_PASSWORD_KEY

public static final java.lang.String BIND_PASSWORD_KEY

See Also:

Constant Field Values

BIND_PASSWORD_DEFAULT

public static final java.lang.String BIND_PASSWORD_DEFAULT

See Also:

Constant Field Values

BIND_PASSWORD_FILE_SUFFIX

public static final java.lang.String BIND_PASSWORD_FILE_SUFFIX

See Also:

Constant Field Values

BIND_PASSWORD_FILE_KEY

public static final java.lang.String BIND_PASSWORD_FILE_KEY

See Also:

Constant Field Values

BIND_PASSWORD_FILE_DEFAULT

public static final java.lang.String BIND_PASSWORD_FILE_DEFAULT

See Also:

Constant Field Values

BIND_PASSWORD_ALIAS_SUFFIX

public static final java.lang.String BIND_PASSWORD_ALIAS_SUFFIX

See Also:

Constant Field Values

BIND_PASSWORD_ALIAS_KEY

public static final java.lang.String BIND_PASSWORD_ALIAS_KEY

See Also:

Constant Field Values

BIND_PASSWORD_ALIAS_DEFAULT

public static final java.lang.String BIND_PASSWORD_ALIAS_DEFAULT

See Also:

Constant Field Values

BASE_DN_KEY

public static final java.lang.String BASE_DN_KEY

See Also:

Constant Field Values

BASE_DN_DEFAULT

public static final java.lang.String BASE_DN_DEFAULT

See Also:

Constant Field Values

USER_BASE_DN_KEY

public static final java.lang.String USER_BASE_DN_KEY

See Also:

Constant Field Values

GROUP_BASE_DN_KEY

public static final java.lang.String GROUP_BASE_DN_KEY

See Also:

Constant Field Values

USER_SEARCH_FILTER_KEY

public static final java.lang.String USER_SEARCH_FILTER_KEY

See Also:

Constant Field Values

USER_SEARCH_FILTER_DEFAULT

public static final java.lang.String USER_SEARCH_FILTER_DEFAULT

See Also:

Constant Field Values

GROUP_SEARCH_FILTER_KEY

public static final java.lang.String GROUP_SEARCH_FILTER_KEY

See Also:

Constant Field Values

GROUP_SEARCH_FILTER_DEFAULT

public static final java.lang.String GROUP_SEARCH_FILTER_DEFAULT

See Also:

Constant Field Values

MEMBEROF_ATTR_KEY

public static final java.lang.String MEMBEROF_ATTR_KEY

See Also:

Constant Field Values

MEMBEROF_ATTR_DEFAULT

public static final java.lang.String MEMBEROF_ATTR_DEFAULT

See Also:

Constant Field Values

GROUP_MEMBERSHIP_ATTR_KEY

public static final java.lang.String GROUP_MEMBERSHIP_ATTR_KEY

See Also:

Constant Field Values

GROUP_MEMBERSHIP_ATTR_DEFAULT

public static final java.lang.String GROUP_MEMBERSHIP_ATTR_DEFAULT

See Also:

Constant Field Values

GROUP_NAME_ATTR_KEY

public static final java.lang.String GROUP_NAME_ATTR_KEY

See Also:

Constant Field Values

GROUP_NAME_ATTR_DEFAULT

public static final java.lang.String GROUP_NAME_ATTR_DEFAULT

See Also:

Constant Field Values

GROUP_HIERARCHY_LEVELS_KEY

public static final java.lang.String GROUP_HIERARCHY_LEVELS_KEY

See Also:

Constant Field Values

GROUP_HIERARCHY_LEVELS_DEFAULT

public static final int GROUP_HIERARCHY_LEVELS_DEFAULT

See Also:

Constant Field Values

POSIX_UID_ATTR_KEY

public static final java.lang.String POSIX_UID_ATTR_KEY

See Also:

Constant Field Values

POSIX_UID_ATTR_DEFAULT

public static final java.lang.String POSIX_UID_ATTR_DEFAULT

See Also:

Constant Field Values

POSIX_GID_ATTR_KEY

public static final java.lang.String POSIX_GID_ATTR_KEY

See Also:

Constant Field Values

POSIX_GID_ATTR_DEFAULT

public static final java.lang.String POSIX_GID_ATTR_DEFAULT

See Also:

Constant Field Values

GROUP_SEARCH_FILTER_PATTERN

public static final java.lang.String GROUP_SEARCH_FILTER_PATTERN

See Also:

Constant Field Values

GROUP_SEARCH_FILTER_PATTERN_DEFAULT

public static final java.lang.String GROUP_SEARCH_FILTER_PATTERN_DEFAULT

See Also:

Constant Field Values

POSIX_GROUP

public static final java.lang.String POSIX_GROUP

See Also:

Constant Field Values

POSIX_ACCOUNT

public static final java.lang.String POSIX_ACCOUNT

See Also:

Constant Field Values

DIRECTORY_SEARCH_TIMEOUT

public static final java.lang.String DIRECTORY_SEARCH_TIMEOUT

See Also:

Constant Field Values

DIRECTORY_SEARCH_TIMEOUT_DEFAULT

public static final int DIRECTORY_SEARCH_TIMEOUT_DEFAULT

See Also:

Constant Field Values

CONNECTION_TIMEOUT

public static final java.lang.String CONNECTION_TIMEOUT

See Also:

Constant Field Values

CONNECTION_TIMEOUT_DEFAULT

public static final int CONNECTION_TIMEOUT_DEFAULT

See Also:

Constant Field Values

READ_TIMEOUT

public static final java.lang.String READ_TIMEOUT

See Also:

Constant Field Values

READ_TIMEOUT_DEFAULT

public static final int READ_TIMEOUT_DEFAULT

See Also:

Constant Field Values

LDAP_NUM_ATTEMPTS_KEY

public static final java.lang.String LDAP_NUM_ATTEMPTS_KEY

See Also:

Constant Field Values

LDAP_NUM_ATTEMPTS_DEFAULT

public static final int LDAP_NUM_ATTEMPTS_DEFAULT

See Also:

Constant Field Values

LDAP_NUM_ATTEMPTS_BEFORE_FAILOVER_KEY

public static final java.lang.String LDAP_NUM_ATTEMPTS_BEFORE_FAILOVER_KEY

See Also:

Constant Field Values

LDAP_NUM_ATTEMPTS_BEFORE_FAILOVER_DEFAULT

public static final int LDAP_NUM_ATTEMPTS_BEFORE_FAILOVER_DEFAULT

See Also:

Constant Field Values

LDAP_CTX_FACTORY_CLASS_KEY

public static final java.lang.String LDAP_CTX_FACTORY_CLASS_KEY

See Also:

Constant Field Values

LDAP_CTX_FACTORY_CLASS_DEFAULT

public static final java.lang.String LDAP_CTX_FACTORY_CLASS_DEFAULT

See Also:

Constant Field Values

Constructor Detail

LdapGroupsMapping

public LdapGroupsMapping()

Method Detail

getGroups

public java.util.List<java.lang.String> getGroups(java.lang.String user)

Returns list of groups for a user. The LdapCtx which underlies the DirContext object is not thread-safe, so we need to block around this whole method. The caching infrastructure will ensure that performance stays in an acceptable range.

Specified by:

getGroups in interface GroupMappingServiceProvider

Parameters:

user - get groups for this user

Returns:

list of groups for a given user

failover

protected boolean failover(int attemptsMadeWithSameLdap,
                           int maxAttemptsBeforeFailover)

Check whether we should fail over to the next LDAP server.

Parameters:

attemptsMadeWithSameLdap - current number of attempts made with using same LDAP instance

maxAttemptsBeforeFailover - maximum number of attempts before failing over

Returns:

true if we should fail over to the next LDAP server

switchBindUser

protected void switchBindUser(javax.naming.AuthenticationException e)

Switch to the next available user to bind to.

Parameters:

e - AuthenticationException encountered when contacting LDAP

cacheGroupsRefresh

public void cacheGroupsRefresh()

Caches groups, no need to do that for this provider

Specified by:

cacheGroupsRefresh in interface GroupMappingServiceProvider

cacheGroupsAdd

public void cacheGroupsAdd(java.util.List<java.lang.String> groups)

Adds groups to cache, no need to do that for this provider

Specified by:

cacheGroupsAdd in interface GroupMappingServiceProvider

Parameters:

groups - unused

getGroupsSet

public java.util.Set<java.lang.String> getGroupsSet(java.lang.String user)

Description copied from interface: GroupMappingServiceProvider

Get all various group memberships of a given user. Returns EMPTY set in case of non-existing user

Specified by:

getGroupsSet in interface GroupMappingServiceProvider

Parameters:

user - User's name

Returns:

set of group memberships of user

getConf

public Configuration getConf()

Description copied from interface: Configurable

Return the configuration used by this object.

Specified by:

getConf in interface Configurable

Returns:

Configuration

setConf

public void setConf(Configuration conf)

Description copied from interface: Configurable

Set the configuration to be used by this object.

Specified by:

setConf in interface Configurable

Parameters:

conf - configuration to be used

getLdapUrls

public java.util.Iterator<java.lang.String> getLdapUrls()

Get URLs of configured LDAP servers.

Returns:

URLs of LDAP servers being used.