Reply
Highlighted
Explorer
Posts: 6
Registered: ‎11-21-2016

How to configure Sentry with Isilon

I am trying to integrate Cloudera with EMC Isilon, and also enable the AD integration. Everything works fine, until I started trying to add the service Sentry.

 

Before I started the Sentry configuration, I have tested HDFS commands,  MR jobs and some Hive commands. It was working perfectly.

 

I tried to test Sentry with following steps:

1. I created one AD account, say "DMEO\ryan", in the group "DEMO\hiveadmins".

2. I created a role in Hive with all privileges on server1, call "admin".

3. I granted the role "admin" to the AD group "DEMO\hiveadmins".

4. I tried to log into beeline with ryan, and found ryan couldn't do anything.

5. I also granted the role to other groups which ryan belongs to, and it still didn't work.

6. I checked the token of ryan in OneFS, and here's the output

          clstr8-1# isi auth mapping token --user ryan@demo.lab --zone zonecdh59

                   User

                       Name: DEMO\ryan

                        UID: 1000004

                        SID: S-1-5-21-3304186071-1863724826-2984370736-1108

                    On Disk: S-1-5-21-3304186071-1863724826-2984370736-1108

                    ZID: 2

                   Zone: zonecdh59

                  Privileges: -

            Primary Group

                       Name: DEMO\domain users

                        GID: 1000000

                        SID: S-1-5-21-3304186071-1863724826-2984370736-513

                    On Disk: S-1-5-21-3304186071-1863724826-2984370736-513

Supplemental Identities

                       Name: DEMO\hiveadmins

                        GID: 1000021

                        SID: S-1-5-21-3304186071-1863724826-2984370736-1242

 

                       Name: DEMO\enterprise admins

                        GID: 1000007

                        SID: S-1-5-21-3304186071-1863724826-2984370736-519

 

                       Name: DEMO\denied rodc password replication group

                        GID: 1000010

                        SID: S-1-5-21-3304186071-1863724826-2984370736-572

 

                       Name: DEMO\domain admins

                        GID: 1000005

                        SID: S-1-5-21-3304186071-1863724826-2984370736-512

 

                       Name: DEMO\vi admins

                        GID: 1000019

                        SID: S-1-5-21-3304186071-1863724826-2984370736-1104

 

                       Name: Administrators

                        GID: 1544

                        SID: S-1-5-32-544

 

                       Name: Users

                        GID: 1545

                        SID: S-1-5-32-545

 

                       Name: Authenticated Users

                        UID: -

                        GID: -

                        SID: S-1-5-11

 

                       Name: ryan

                        UID: 5002

                        SID: S-1-5-21-92656056-893523800-384001705-1040

 

                       Name: ryan

                        GID: 5002

                        SID: S-1-5-21-92656056-893523800-384001705-1039

 

7. Until I granted the role "admin" to group "ryan", the user ryan got all the privileges. However there was no group "ryan" in the AD actually.

 

I double checked the Sentry configuration. I found there were some steps to enable HDFS group mapping. However I couldn't find any steps to configure that in Isilon. And I think Sentry didn't get the AD groups of which ryan belongs to, that's why the groups had been granted role "admin" were not actually inherited by user ryan.

 

Is there anyone had the experience to configure Sentry with Isilon?

 

Any high level directions will be very appreciated. Of course, if you got detailed steps, that would a million of thanks!

 

 

 

PS, I configured following Isilon mapping rules.

clstr8-1# isi zone zones view zonecdh59

                Name: zonecdh59

                Path: /ifs/zones/cdh59

            Groupnet: groupnet0

       Map Untrusted: -

      Auth Providers: lsa-local-provider:zonecdh59, lsa-activedirectory-provider:DEMO.LAB

        NetBIOS Name: -

  User Mapping Rules: hdfs => root [], DEMO\* &= * [], mapred => yarn []

Home Directory Umask: 0077

  Skeleton Directory: /usr/share/skel

  Cache Entry Expiry: 4H

             Zone ID: 2

Announcements