question Re: Ranger, Knox integration with Multiple Forest AD's in Archives of Support Questions (Read Only)

Ranger, Knox integration with Multiple Forest AD's

jknulst — Thu, 22 Dec 2016 17:38:12 GMT

I came to know that AD can be set up with multiple forests. Forest are AD lingo for a container at a level even higher then the Domain Controllers. This is not uncommon in large enterprise AD deployments ( see : MS_Technet)

So my question is:

-Do any of the HDP stack security features (Knox and Ranger) support this multi forest setup of AD (with the aim of synching or logging on to HDP from any one of those forests) and how?

Re: Ranger, Knox integration with Multiple Forest AD's

myoung — Fri, 23 Dec 2016 03:06:20 GMT

@Jasper

As you mention, a Forest is just a container for multiple domains. If there is a trust relationship in place, then you should be able to authenticate from Domain1 and access resources in Domain2. You can also authenticate against Domain1 and query Domain2.

I believe the HDP stack security components can authenticate to a domain within a Forest without any issues as the Forest should be transparent to HDP.

Having said that, I believe you can only specify a single domain in the configuration options for the HDP components. While you can query multiple domains using tools like "ldapsearch", I don't think you can currently do so using HDP.

Re: Ranger, Knox integration with Multiple Forest AD's

ahallam — Thu, 09 Feb 2017 16:33:47 GMT

FYI.

"Multiple Forest" is supported - but not "Cross Forest" AD.

If you have "Cross Forest" AD, Ranger may able to get users from the right branch but not groups or vice versa