https://community.cloudera.com/t5/Archives-of-Support-Questions/CompositeGroupsMapping/m-p/51564#M55745 <P>CDM shows these group mapping providers (hadoop.security.group.mapping):</P><P>- jniBasedUnixGroupsMapping</P><P>- ShellBasedUnixGroupsMapping</P><P>- LdapGroupsMapping</P><P>&nbsp;</P><P>In 2012 a CompositeGroupsMappings provider was created, but I don't see it in CDM (v5.7.1)</P><P>&nbsp;</P><P>Is it possible to configure CDM to use the CompositeGroupsMappings provider using a safety valve?</P><P>- the LdapGroupsMapping should be used for regular users</P><P>- the ShellBasedUnixGroupsMapping should be used for system accounts, like hdfs &amp; yarn</P><P>&nbsp;</P><P>thanks</P> Tue, 28 Feb 2017 14:04:36 GMT jeroenr 2017-02-28T14:04:36Z https://community.cloudera.com/t5/Archives-of-Support-Questions/CompositeGroupsMapping/m-p/51564#M55745 <P>CDM shows these group mapping providers (hadoop.security.group.mapping):</P><P>- jniBasedUnixGroupsMapping</P><P>- ShellBasedUnixGroupsMapping</P><P>- LdapGroupsMapping</P><P>&nbsp;</P><P>In 2012 a CompositeGroupsMappings provider was created, but I don't see it in CDM (v5.7.1)</P><P>&nbsp;</P><P>Is it possible to configure CDM to use the CompositeGroupsMappings provider using a safety valve?</P><P>- the LdapGroupsMapping should be used for regular users</P><P>- the ShellBasedUnixGroupsMapping should be used for system accounts, like hdfs &amp; yarn</P><P>&nbsp;</P><P>thanks</P> Tue, 28 Feb 2017 14:04:36 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/CompositeGroupsMapping/m-p/51564#M55745 jeroenr 2017-02-28T14:04:36Z https://community.cloudera.com/t5/Archives-of-Support-Questions/CompositeGroupsMapping/m-p/52008#M55746 <P>The code is there and you can use it if you want it but we do not expose it in the Cloudera Manager UI. You will need to use a configuration snippet in the <EM>HDFS service for core-site.xml (cluster wide)</EM> and add the <A href="https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/GroupsMapping.html#Composite_Groups_Mapping" target="_self">relevant keys</A>:</P><P>&nbsp;</P><PRE>hadoop.security.group.mapping -&gt; org.apache.hadoop.security.CompositeGroupsMapping hadoop.security.group.mapping.providers -&gt; ProviderName1,ProviderName2 hadoop.security.group.mapping.providers.combined -&gt; true hadoop.security.group.mapping.providers.&lt;ProviderName1&gt;</PRE><P>That should work.</P><P>&nbsp;</P><P>Wilfred</P> Thu, 09 Mar 2017 23:47:44 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/CompositeGroupsMapping/m-p/52008#M55746 Wilfred 2017-03-09T23:47:44Z https://community.cloudera.com/t5/Archives-of-Support-Questions/CompositeGroupsMapping/m-p/52040#M55747 <P>the configuration works fine</P><P>&nbsp;</P><P>only issue is that the bind user password is not redacted in the advanced configuration snippet and in clear text in the core-site.xml</P><P>&nbsp;</P><P>According to the security guide (sensitive data redaction), v5.8.x (not documented for 5.7.x):</P><P>Redaction of Advanced Configuration Snippet parameters is based on detecting keywords explicitly defined as sensitive in the contents of these parameters. That is, parameters containing the keywords <EM>password</EM>, <EM>key</EM>, <EM>aws</EM>, or <EM>secret</EM>, will be redacted for users who do not have the required edit privileges</P><P>&nbsp;</P><P>I'll open a case to check how to get this working on 5.7.1</P><P>&nbsp;</P> Fri, 10 Mar 2017 14:42:05 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/CompositeGroupsMapping/m-p/52040#M55747 jeroenr 2017-03-10T14:42:05Z