Reply
Explorer
Posts: 6
Registered: ‎05-10-2017

100 Users Hue Kerberos Ldap(ADS)

[ Edited ]

Hi Folks,

 

i searched for an answer for one hour and did not find any clear solution for it.

Here my infra:

- Cloudera CDH5.10 
- Kerberos against (ADS)
- Hue and CM against Ldap(ADS)

Heres the question: 

With the configuration i have right now everything runs nice when i use one of the technical users which exists on both (LDAP and the local OS), but when i try to login as an ldap-only user at hue i can do only my hdfs stuff.
The moment I try to exec impala or a hive/MR ill get the "yarn: user not found" exception. The moment i add the user to all nodes it works fine.

 

But do i need to sync/create all my ldap users on all my cluster nodes or is it possible to that i can login as ldapuser and hue uses an internal technical account for impala and MR.

 

And of course : How and where it needs to be configured.

Thanks in advance

Cloudera Employee
Posts: 702
Registered: ‎07-30-2013

Re: 100 Users Hue Kerberos Ldap(ADS)

If you use Kerberos, the user must also exist at the Unix level
Explorer
Posts: 6
Registered: ‎05-10-2017

Re: 100 Users Hue Kerberos Ldap(ADS)

Thanks for you answer. 
But that would mean that we need to sync 100 of users and groups to all of our cluster nodes to provide the fully linage and governance data lake with full fine security...

Isnt there another solution ?
How other enterprise customers solve this i can not imagine that big customers sync hundreds or thousand users to there local os machines?

Posts: 455
Topics: 1
Kudos: 106
Solutions: 59
Registered: ‎04-22-2014

Re: 100 Users Hue Kerberos Ldap(ADS)

@kaefaetz, You are correct that the management overhead for many users is a problem.  One approach might be using automation tool like puppet or chef to update users on each host.

 

Many administrators who face your issue leverage software that will integrate plugins to handle OS user/group requests via retrieval from Active Directory or other sources.

 

SSSD, Centrify (costs money), and freeIPA are a few examples of such solutions.

There is some information about this on the following page:

 

https://www.cloudera.com/documentation/enterprise/latest/topics/sg_auth_overview.html#concept_zkr_5h...

 

-Ben

 

Highlighted
Explorer
Posts: 6
Registered: ‎05-10-2017

Re: 100 Users Hue Kerberos Ldap(ADS)

Tested bit further. Is there an Easy answer why impala is working with kerberos via hue (count(*)...) and hive is not.
Am i right that it is yarn which requires the local os users?

Explorer
Posts: 6
Registered: ‎05-10-2017

Re: 100 Users Hue Kerberos Ldap(ADS)

OK impala is not on top of yarn and for yarn applications such as spark or hive every user needs to be on the local os on every node.

But why is impala working without the users with kerberos and sentry activated?

Announcements