Cloudera Community

Archives of Support Questions (Read Only)

This is an archived board for historical reference. Information and links may no longer be available or relevant
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
This board is archived and read-only for historical reference. To ask a new question, please post a new topic on the appropriate active board.
Solved Go to solution

Ranger, Knox integration with Multiple Forest AD's

avatar
author-rank jknulst author-rank
Super Collaborator

Created ‎12-22-2016 09:38 AM

I came to know that AD can be set up with multiple forests. Forest are AD lingo for a container at a level even higher then the Domain Controllers. This is not uncommon in large enterprise AD deployments ( see : MS_Technet)

So my question is:

-Do any of the HDP stack security features (Knox and Ranger) support this multi forest setup of AD (with the aim of synching or logging on to HDP from any one of those forests) and how?

2,385 Views
1 ACCEPTED SOLUTION

avatar
author-rank myoung
Super Guru

Created ‎12-22-2016 07:06 PM

@Jasper

As you mention, a Forest is just a container for multiple domains. If there is a trust relationship in place, then you should be able to authenticate from Domain1 and access resources in Domain2. You can also authenticate against Domain1 and query Domain2.

I believe the HDP stack security components can authenticate to a domain within a Forest without any issues as the Forest should be transparent to HDP.

Having said that, I believe you can only specify a single domain in the configuration options for the HDP components. While you can query multiple domains using tools like "ldapsearch", I don't think you can currently do so using HDP.

View solution in original post

1,915 Views
0 Kudos
2 REPLIES 2

avatar
author-rank myoung
Super Guru

Created ‎12-22-2016 07:06 PM

@Jasper

As you mention, a Forest is just a container for multiple domains. If there is a trust relationship in place, then you should be able to authenticate from Domain1 and access resources in Domain2. You can also authenticate against Domain1 and query Domain2.

I believe the HDP stack security components can authenticate to a domain within a Forest without any issues as the Forest should be transparent to HDP.

Having said that, I believe you can only specify a single domain in the configuration options for the HDP components. While you can query multiple domains using tools like "ldapsearch", I don't think you can currently do so using HDP.

1,916 Views
0 Kudos

avatar
author-rank ahallam
Expert Contributor

Created ‎02-09-2017 08:33 AM

FYI.

"Multiple Forest" is supported - but not "Cross Forest" AD.

If you have "Cross Forest" AD, Ranger may able to get users from the right branch but not groups or vice versa

1,915 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Real time Monitoring for 7.1.9+ and 7.2.18+ with Cl...
What's New @ Cloudera
Announcing Cloudera Streaming Analytics 1.17: Python UDFs, S...
Community Announcements
Content Update: Evolving Our Community Content for Better, A...
Community Announcements
Product Name Updates — Community Label Changes & Notificatio...
What's New @ Cloudera
Announcing Cloudera Data Lineage for Trino
View More Announcements