Reply
Posts: 922
Topics: 1
Kudos: 213
Solutions: 115
Registered: ‎04-22-2014

Re: Kerberos ticket error:No rules applied to hdfs@CDH5.14.2

No problem.  I as long as you have a reasonable solution to address the issue, that's all good.  :-)

Explorer
Posts: 24
Registered: ‎06-06-2018

Re: Kerberos ticket error:No rules applied to hdfs@CDH5.14.2

@bgooley  hdfs is not picking up the users from supergroup@domain.com, does auth to local rule works for groups?

 

hadoop.security.group.mapping org.apache.hadoop.security.ShellBasedUnixGroupsMapping

 

[sbalusu@domain.com@hostname ~]$ hadoop fs -chown hdfs:supergroup /user/test
chown: changing ownership of '/user/test': Non-super user cannot change owner

[sbalusu@domain.com@hostname ~]$ getent group supergroup@domain.com
supergroup@domain.com:*:514734591:sbalusu@supergroup.com

 

I tried both group short name as well as group fqdn:
dfs.permissions.supergroup, dfs.permissions.superusergroup supergroup@domain.com

dfs.permissions.supergroup, dfs.permissions.superusergroup supergroup

 

any suggestions?

 

 

Posts: 922
Topics: 1
Kudos: 213
Solutions: 115
Registered: ‎04-22-2014

Re: Kerberos ticket error:No rules applied to hdfs@CDH5.14.2

@balusu,

 

auth_to_local is used to map a user's principal to a unix name only.  It is not used for anything group-oriented.

 

By default, only the "hdfs" user is a superuser so it is the only user who can perform "chown" operations.

If you want to make other users superusers, you can do so by defining which group will be the "supergroup" and which users belong to it.

 

The group must be accessible via the OS (getent group supergroup).  The default name for the supergroup is "supergroup"

 

In cloudera Manager you can see this configuration in HDFS --> Configuration --> Superuser Group

 

is there a reason you are trying to attach the "@domain" onto the group name?

I would recommend adding a group named "supergroup" if you don't need to change the default.  Then add sbalusu as a member.

 

Note this has nothing to do with Kerberos at all at this point... this is all group mapping for hadoop.

Explorer
Posts: 24
Registered: ‎06-06-2018

Re: Kerberos ticket error:No rules applied to hdfs@CDH5.14.2

[ Edited ]

@bgooley

 

I appolgise for the confusion, The supergroup I mentioned is hadoopadmingroup@example.com

 

In cloudera Manager i changed this configuration in HDFS --> Configuration --> Superuser Group

and tried setting it to 

hadoopadmingroup@example.com and then hadoopadmingroup, both of them did not worked.

 

sssd is set up to have a domain name at the end of Unix group and Unix user, Somehow hdfs is not able to map user to group with the domain name at the end. 

 

 

True, I agree this is not a Kerberos issue. My intention is to find if Hadoop can work having a domain name at the end of the group so that I can have a conversation with Unix team to trim domain name at the end of the group.

 

Thanks,

Siva

 

 

Posts: 922
Topics: 1
Kudos: 213
Solutions: 115
Registered: ‎04-22-2014

Re: Kerberos ticket error:No rules applied to hdfs@CDH5.14.2

@balusu,

 

Yeah, I'm not sure if supergroup mapping will work if the group has the domain on it.  I can't confirm it won't, but if you changed the group name, restarted HFDS, and still didn't have group access, that does indicate the config may not work.

 

You may try running "hdfs groups <user>" to see if that command "sees" your groups....

Explorer
Posts: 24
Registered: ‎06-06-2018

Re: Kerberos ticket error:No rules applied to hdfs@CDH5.14.2

@bgooley 

 

Ya, it does not seem to be working. 

 

HDFS --> Configuration --> Superuser Group = hadoopadmingroup@example.com and then hadoopadmingroup, both of them yielded zero groups.

 

[sbalusu@example.com@hostname ~]$ hdfs groups sbalusu@example.com
sbalusu_c@example.com :
[sbalusu@example.com@hostname ~]$ hdfs groups sbalusu_c
sbalusu_c :

 

 

Thanks & Regards,
Siva

Explorer
Posts: 24
Registered: ‎06-06-2018

Re: Kerberos ticket error:No rules applied to hdfs@CDH5.14.2

I have the SSSD configured to short name and everything looks good now!!! Thanks @bgooley
Announcements