Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

Authentication & authorization with Multiple Active Directory domains

apchi777
New Contributor

Created on ‎08-03-2017 02:02 PM - edited ‎09-16-2022 05:02 AM

Hi Everybody,

In my organization we have a special case of 2 Active Directory domains.

All users are in ad.domain1, and OU in a ad.domain2 was used during Cloudera installation. Bind user was also created in ad.domain2. The same OU in domain2 is used to create security groups and add users from the domain1. We have trouble to configure Cloudera (HDFS, Sentry, Hive, Impala) to define user’s groups. In domain1 objectClass for users is ‘user’, but in domain2 those users are not ‘users’ but members of groups. I know how to set params for ldapsearch command:

 

ldapsearch -LLL -H "ldap://ad.domain2:3268" -D bind_user@ad.domain2 -W -b ou=my_ou_name,dc=ad,dc=domain2 "(&(objectClass=group)(member=CN=username1,OU=People,DC=domain1))" memberOf

 

This command will return the list of username1 groups in domain2. But question is – how to configure Cloudera’s CompositeGroupsMapping properties to have back the same list of groups in a format, which hdfs, sentry, hue would understand? Is it even possible with currently release of CDH?

Does anybody have the similar use case?

Thanks,

Alex

2,523 Views
0 Kudos
3 REPLIES 3

h@cloudera
Contributor

Created ‎08-16-2017 12:29 PM

Hi Alex,

 

I don't believe CompositeGroupsMapping is not an exposed configuration in Cloudera Manager.

Are you referring to this?

2,484 Views
0 Kudos

apchi777
New Contributor

Created ‎08-17-2017 11:54 AM

Good Afternoon h@cloudera ,

You are correct, CompositeGroupsMapping config is not directly exposed in Cloudera Manager. Safety valve should be used to configure it.

And yes, I am referring to Apache Hadoop doc.

Thanks,

Alex

2,472 Views
0 Kudos

h@cloudera
Contributor

Created ‎08-20-2017 04:52 PM

I don't believe we've done much testing with CDH and Composite Group Mappings but from what I understand, you'd specify the configurations for each LDAP (AD) provider individually - in the example provided in the previous link, we can see how each LDAP URL is provided; if other LDAP configurations differ such as bind user, bind password, filters, etc. those can be entered as additional properties.

 

All of this would go in the cluster wide core-site.xml safety valve (in HDFS configurations).

 

Again, haven't tested it but there are some who use it. A more robust approach would be to use tools like Centrify, VAS, SSSD, etc. to handle the AD/Linux integration.

2,462 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Product Announcements
CDP Public Cloud: May 2023 Release Summary
What's New @ Cloudera
Cloudera Operational Database (COD) provides enhancements to the --scale-type CDP CLI option
What's New @ Cloudera
Cloudera Operational Database (COD) UI supports creating a smaller cluster using a predefined Data Lake template
What's New @ Cloudera
Cloudera Operational Database (COD) supports scaling up the clusters vertically
Product Announcements
CDP Public Cloud: April 2023 Release Summary
View More Announcements