11-21-2016 07:40 AM
I am trying to integrate Cloudera with EMC Isilon, and also enable the AD integration. Everything works fine, until I started trying to add the service Sentry.
Before I started the Sentry configuration, I have tested HDFS commands, MR jobs and some Hive commands. It was working perfectly.
I tried to test Sentry with following steps:
1. I created one AD account, say "DMEO\ryan", in the group "DEMO\hiveadmins".
2. I created a role in Hive with all privileges on server1, call "admin".
3. I granted the role "admin" to the AD group "DEMO\hiveadmins".
4. I tried to log into beeline with ryan, and found ryan couldn't do anything.
5. I also granted the role to other groups which ryan belongs to, and it still didn't work.
6. I checked the token of ryan in OneFS, and here's the output
clstr8-1# isi auth mapping token --user firstname.lastname@example.org --zone zonecdh59
On Disk: S-1-5-21-3304186071-1863724826-2984370736-1108
Name: DEMO\domain users
On Disk: S-1-5-21-3304186071-1863724826-2984370736-513
Name: DEMO\enterprise admins
Name: DEMO\denied rodc password replication group
Name: DEMO\domain admins
Name: DEMO\vi admins
Name: Authenticated Users
7. Until I granted the role "admin" to group "ryan", the user ryan got all the privileges. However there was no group "ryan" in the AD actually.
I double checked the Sentry configuration. I found there were some steps to enable HDFS group mapping. However I couldn't find any steps to configure that in Isilon. And I think Sentry didn't get the AD groups of which ryan belongs to, that's why the groups had been granted role "admin" were not actually inherited by user ryan.
Is there anyone had the experience to configure Sentry with Isilon?
Any high level directions will be very appreciated. Of course, if you got detailed steps, that would a million of thanks!
PS, I configured following Isilon mapping rules.
clstr8-1# isi zone zones view zonecdh59
Map Untrusted: -
Auth Providers: lsa-local-provider:zonecdh59, lsa-activedirectory-provider:DEMO.LAB
NetBIOS Name: -
User Mapping Rules: hdfs => root , DEMO\* &= * , mapred => yarn 
Home Directory Umask: 0077
Skeleton Directory: /usr/share/skel
Cache Entry Expiry: 4H
Zone ID: 2