Configuring LDAP Group Mappings
Irrespective of the mechanism used, user/group mappings must be applied consistently across all cluster hosts for ease with maintenance.
Note that if you have modified the System User or System Group setting within Cloudera Manager for any service, you must use those custom values to provision the users and groups in LDAP.
Component (Version) |
Unix User ID | Groups | Notes |
---|---|---|---|
Cloudera Manager (all versions) | cloudera-scm | cloudera-scm | Cloudera Manager processes such as the Cloudera Manager Server and the monitoring roles run as this user.
The Cloudera Manager keytab file must be named cmf.keytab since that name is hard-coded in Cloudera Manager.
Note: Applicable to clusters managed by Cloudera Manager only.
|
Apache Accumulo (Accumulo 1.4.3 and higher) | accumulo | accumulo | Accumulo processes run as this user. |
Apache Avro | No special users. | ||
Apache Flume (CDH 4, CDH 5) | flume | flume | The sink that writes to HDFS as this user must have write privileges. |
Apache HBase (CDH 4, CDH 5) | hbase | hbase | The Master and the RegionServer processes run as this user. |
HDFS (CDH 4, CDH 5) | hdfs | hdfs, hadoop | The NameNode and DataNodes run as this user, and the HDFS root directory as well as the directories used for edit logs should be owned by it. |
Apache Hive (CDH 4, CDH 5) | hive | hive |
The HiveServer2 process and the Hive Metastore processes run as this user. A user must be defined for Hive access to its Metastore DB (for example, MySQL or Postgres) but it can be any identifier and does not correspond to a Unix uid. This is javax.jdo.option.ConnectionUserName in hive-site.xml. |
Apache HCatalog (CDH 4.2 and higher, CDH 5) | hive | hive |
The WebHCat service (for REST access to Hive functionality) runs as the hive user. |
HttpFS (CDH 4, CDH 5) | httpfs | httpfs |
The HttpFS service runs as this user. See HttpFS Security Configuration for instructions on how to generate the merged httpfs-http.keytab file. |
Hue (CDH 4, CDH 5) | hue | hue |
Hue services run as this user. |
Cloudera Impala (CDH 4.1 and higher, CDH 5) | impala | impala, hive | Impala services run as this user. |
Apache Kafka (Cloudera Distribution of Kafka 1.2.0) | kafka | kafka | Kafka services run as this user. |
Java KeyStore KMS (CDH 5.2.1 and higher) | kms | kms | The Java KeyStore KMS service runs as this user. |
Key Trustee KMS (CDH 5.3 and higher) | kms | kms | The Key Trustee KMS service runs as this user. |
Key Trustee Server (CDH 5.4 and higher) | keytrustee | keytrustee | The Key Trustee Server service runs as this user. |
Kudu | kudu | kudu | Kudu services run as this user. |
Llama (CDH 5) | llama | llama | Llama runs as this user. |
Apache Mahout | No special users. | ||
MapReduce (CDH 4, CDH 5) | mapred | mapred, hadoop | Without Kerberos, the JobTracker and tasks run as this user. The LinuxTaskController binary is owned by this user for Kerberos. |
Apache Oozie (CDH 4, CDH 5) | oozie | oozie | The Oozie service runs as this user. |
Parquet | No special users. | ||
Apache Pig | No special users. | ||
Cloudera Search (CDH 4.3 and higher, CDH 5) | solr | solr | The Solr processes run as this user. |
Apache Spark (CDH 5) | spark | spark | The Spark History Server process runs as this user. |
Apache Sentry (CDH 5.1 and higher) | sentry | sentry | The Sentry service runs as this user. |
Apache Sqoop (CDH 4, CDH 5) | sqoop | sqoop | This user is only for the Sqoop1 Metastore, a configuration option that is not recommended. |
Apache Sqoop2 (CDH 4.2 and higher, CDH 5) | sqoop2 | sqoop, sqoop2 | The Sqoop2 service runs as this user. |
Apache Whirr | No special users. | ||
YARN (CDH 4, CDH 5) | yarn | yarn, hadoop | Without Kerberos, all YARN services and applications run as this user. The LinuxContainerExecutor binary is owned by this user for Kerberos. |
Apache ZooKeeper (CDH 4, CDH 5) | zookeeper | zookeeper | The ZooKeeper processes run as this user. It is not configurable. |
- You can use either Cloudera Manager or the following command-line instructions to complete this configuration.
- This information applies specifically to CDH 5.8.x. If you use an earlier version of CDH, see the documentation for that version located at Cloudera Documentation.
Using Cloudera Manager
Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)
- Open the Cloudera Manager Admin Console and go to the HDFS service.
- Click the Configuration tab.
- Select
- Select .
- Modify the following configuration properties using values from the table below:
Configuration Property Value Hadoop User Group Mapping Implementation org.apache.hadoop.security.LdapGroupsMapping Hadoop User Group Mapping LDAP URL ldap://<server> Hadoop User Group Mapping LDAP Bind User Administrator@example.com Hadoop User Group Mapping LDAP Bind User Password *** Hadoop User Group Mapping Search Base dc=example,dc=com
Using the Command Line
<property> <name>hadoop.security.group.mapping</name> <value>org.apache.hadoop.security.LdapGroupsMapping</value> </property> <property> <name>hadoop.security.group.mapping.ldap.url</name> <value>ldap://server</value> </property> <property> <name>hadoop.security.group.mapping.ldap.bind.user</name> <value>Administrator@example.com</value> </property> <property> <name>hadoop.security.group.mapping.ldap.bind.password</name> <value>****</value> </property> <property> <name>hadoop.security.group.mapping.ldap.base</name> <value>dc=example,dc=com</value> </property> <property> <name>hadoop.security.group.mapping.ldap.search.filter.user</name> <value>(&(objectClass=user)(sAMAccountName={0}))</value> </property> <property> <name>hadoop.security.group.mapping.ldap.search.filter.group</name> <value>(objectClass=group)</value> </property> <property> <name>hadoop.security.group.mapping.ldap.search.attr.member</name> <value>member</value> </property> <property> <name>hadoop.security.group.mapping.ldap.search.attr.group.name</name> <value>cn</value> </property>
- If you are using Sentry with Hive, you will also need to add these properties on the HiveServer2 node.
- If you are using Sentry with Impala, add these properties on all hosts
<< HDFS Extended ACLs | ©2016 Cloudera, Inc. All rights reserved | Authorization With Apache Sentry >> |
Terms and Conditions Privacy Policy |