https://community.cloudera.com/t5/Archives-of-Support-Questions/Authorization-questions-LDAP/m-p/48901#M50097 <P>For the impyla issue, I believe Git is a good place to look for assistance too.</P><P>I see there is already a discussion in Git: <A href="https://github.com/cloudera/impyla/issues/233" target="_blank">https://github.com/cloudera/impyla/issues/233</A></P><P>&nbsp;</P><P>&nbsp;</P> Thu, 29 Dec 2016 15:37:22 GMT bgooley 2016-12-29T15:37:22Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Authorization-questions-LDAP/m-p/48802#M50094 <P>&nbsp;Hi, I'm trying to enable authorization system in Cloudera.</P><P>I'm reading this link <A href="https://www.cloudera.com/documentation/enterprise/5-3-x/topics/cm_sg_ldap_grp_mappings.html" target="_blank">https://www.cloudera.com/documentation/enterprise/5-3-x/topics/cm_sg_ldap_grp_mappings.html</A> .</P><P><STRONG>Q0</STRONG>: Why can we use LdapGroupsMapping in <STRONG>production</STRONG> environment? I would like to use Apache Zeppline to integreted Apache Spark. I would like to use LDAP as a unifined account system.</P><P><STRONG>Q1</STRONG>: If I use org.apache.hadoop.security.ShellBasedUnixGroupsMapping, Should I create users and groups in <STRONG>EVERY</STRONG> host in my cluster?</P><P><STRONG>Q2</STRONG>: If I use org.apache.hadoop.security.LdapGroupsMapping. When new users and groups are created, will they <STRONG>sync</STRONG> to EVERY host in my cluster?</P><P><STRONG>Q3</STRONG>:When adding new service in Cloudera Manager, for example, kafka service, will `kafka` user created both in LDAP database and <STRONG>EVERY</STRONG> host in my cluster?</P><P><STRONG>Q4</STRONG>: I've enabled MIT kerberos in my cluster. Can I submit task from Windows IDE with proper kerberos <STRONG>keytab</STRONG> files. For example, using impyla in Python in Windows machine.</P> Mon, 26 Dec 2016 07:55:11 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Authorization-questions-LDAP/m-p/48802#M50094 zhuangmz 2016-12-26T07:55:11Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Authorization-questions-LDAP/m-p/48882#M50095 <P><FONT color="#000000"><STRONG>A0</STRONG>: While using LDAP as a "unified account system", Cloudera recommends against leveraging LDAP Group Mapping. &nbsp;I'll repost the Note on the page you mentioned:</FONT><BR /><BR /><FONT color="#FF0000"><SPAN class="title">Important:</SPAN><SPAN> Cloudera strongly recommends </SPAN><EM>against</EM><SPAN> using Hadoop's </SPAN>LdapGroupsMapping<SPAN> provider. </SPAN>LdapGroupsMapping<SPAN> should only be used in cases where OS-level integration is not possible. Production clusters require an identity provider that works well with all applications, not just Hadoop. Hence, often the preferred mechanism is to use tools such as SSSD, VAS or Centrify to replicate LDAP groups.</SPAN></FONT></P><P>&nbsp;</P><P><FONT color="#000000">The idea is to allow tools that were designed for unix account integration with LDAP/Active Directory, etc.</FONT></P><P><FONT color="#000000">You could enable LDAP Groups Mapping for HDFS, but only HDFS would know about users/groups. &nbsp;The OS would not know about them.</FONT></P><P>&nbsp;</P><P><FONT color="#000000"><STRONG>A1:</STRONG> Yes, each host should have the same set of users. &nbsp;Two common methods of managing this (without having to manually update every host's passwd and group files:</FONT></P><P>&nbsp;</P><P><FONT color="#000000">- Tools such as SSSD, VAS, and Centrify&nbsp;allow hosts to retrieve user information from one location. &nbsp;As long as each host in the cluster is configured to use the tool, each host can find a singular entry in LDAP (hdfs user for instance)</FONT></P><P><FONT color="#000000">- Puppet, Chef, or other automation tools can be used to push out passwd/group changes to all hosts.</FONT></P><P>&nbsp;</P><P><FONT color="#000000"><STRONG>A2:</STRONG> No. There is no "syncing" for LDAP Groups Mapping; rather, there is one LDAP entry that services will reference.</FONT></P><P>&nbsp;</P><P><FONT color="#000000"><STRONG>A3:</STRONG>&nbsp;By default, Cloudera Manager has "<SPAN>Create Users and Groups, and Apply File Permissions for Parcels" enabled. &nbsp;When the parcel is activated, the agents on each host managed by that Cloudera Manager will create local users and groups if that setting is enabled. &nbsp;It won't create them in LDAP, though.</SPAN></FONT></P><P>&nbsp;</P><P><FONT color="#000000"><STRONG>A4:</STRONG> I'm affraid I don't understand the question completely, so I'll answer generally. &nbsp;As long as your client has the proper configuration and credentials to authenticate, it should be able to work.</FONT></P><P>&nbsp;</P><P><FONT color="#000000">I hope that all helps.</FONT></P><P>&nbsp;</P><P><FONT color="#000000">Regards,</FONT></P><P>&nbsp;</P><P><FONT color="#000000">Ben</FONT></P> Thu, 29 Dec 2016 07:36:39 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Authorization-questions-LDAP/m-p/48882#M50095 bgooley 2016-12-29T07:36:39Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Authorization-questions-LDAP/m-p/48883#M50096 <P>Thanks, bgooley.</P><P>&nbsp;</P><P><STRONG>Q1</STRONG>. I've tried ansible to maitain users and groups. It works.</P><P>&nbsp;</P><P><STRONG>Q4</STRONG>. I mean. I would like to use python with PyCharm in Windows, in order to get an iteractive shell. In both following cases, I've kinit using MIT kerberos for Windows.</P><P>&nbsp;</P><P><STRONG>case1</STRONG>: impyla in Python scripts.</P><P>&nbsp;</P><P>&nbsp;</P><P><A href="https://community.cloudera.com/t5/Interactive-Short-cycle-SQL/connect-kerberozied-cluster-from-impyla-in-windows-machine/m-p/48890#M2336" target="_blank">https://community.cloudera.com/t5/Interactive-Short-cycle-SQL/connect-kerberozied-cluster-from-impyla-in-windows-machine/m-p/48890#M2336</A></P><P>&nbsp;</P><P><STRONG>case2</STRONG>: pyspark in Python scripts.</P><P>&nbsp;</P><P><A href="https://community.cloudera.com/t5/Advanced-Analytics-Apache-Spark/connect-kerberozied-cluster-from-pyspark-in-windows-machine/m-p/48889" target="_blank">https://community.cloudera.com/t5/Advanced-Analytics-Apache-Spark/connect-kerberozied-cluster-from-pyspark-in-windows-machine/m-p/48889</A></P> Thu, 29 Dec 2016 08:11:52 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Authorization-questions-LDAP/m-p/48883#M50096 zhuangmz 2016-12-29T08:11:52Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Authorization-questions-LDAP/m-p/48901#M50097 <P>For the impyla issue, I believe Git is a good place to look for assistance too.</P><P>I see there is already a discussion in Git: <A href="https://github.com/cloudera/impyla/issues/233" target="_blank">https://github.com/cloudera/impyla/issues/233</A></P><P>&nbsp;</P><P>&nbsp;</P> Thu, 29 Dec 2016 15:37:22 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Authorization-questions-LDAP/m-p/48901#M50097 bgooley 2016-12-29T15:37:22Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Authorization-questions-LDAP/m-p/48915#M50098 OK. Actually, It was me that started that isse in Github <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Fri, 30 Dec 2016 00:49:35 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Authorization-questions-LDAP/m-p/48915#M50098 zhuangmz 2016-12-30T00:49:35Z