question Re: Spark-submit - mapping of principal in Support Questions

Spark-submit - mapping of principal

Jarinek — Tue, 04 Oct 2022 19:47:15 GMT

Hello,
on our system CDP 7.1.7, we have use konfiguration parameter
kafka.properties_role_safety_valve
add set attribute
sasl.kerberos.principal.to.local.rules
to map ActiveDirectory principals to entities created in ranger.

In our system, the AD user have a prefix e.g. xjohndoe@SAMPLE.COM maps to a ranger entity "johndoe"

During a spark-submit (over yarn), we also need to pass a principal, however as there is no such mapping, we obtain an error saying the unix user "xjohndoe" does not exist. This is true indeed, we eed to map it to "johndoe".

Ist there any possibility to map principals during spark-spark-submit possibly similarly to sasl.kerberos.principal.to.local.rules in kafka or any other possibility?

Best regards
Jaro

Re: Spark-submit - mapping of principal

mszurap — Wed, 05 Oct 2022 08:44:19 GMT

Hi @Jarinek , Yes, in CDH/CDP every service which depends on HDFS will inherit the HDFS configuration "auth-to-local rules", in CM in HDFS Configuration see "Additional Rules to Map Kerberos Principals to Short Names".

Kafka does not need HDFS so that's why it has a separate such configuration.

See the documentation how to set it:

https://docs.cloudera.com/cdp-private-cloud-base/7.1.7/security-kerberos-authentication/topics/cm-security-kerberos-authentication-auth-to-local-isolate.html

Best regards

Miklos

Re: Spark-submit - mapping of principal

Jarinek — Thu, 06 Oct 2022 14:15:46 GMT

Great, thanks