I'm integrate Atlas with AD. ldap works fine, but ldaps doesn't work.
Anyone did this before?
Are you trying to use Active Directory or Open LDAP over SSL? Can you list out the steps you took to configure LDAPS and error you got?
Authentication for Atlas is provided by Kerberos. To enable Kerberos you need a credential store (Either AD or MIT KDC). LDAP protocol can be used to communicate to these stores but does not store user and group information by itself.
Once you enable Kerberos for the cluster, you can configure Atlas Key Tab and Principle to authenticate against the KDC.
atlas.authentication.method(simple|kerberos) [default: simple] - the authentication method to utilize. Simple will leverage the OS authenticated identity and is the default mechanism. 'kerberos' indicates that the service is required to authenticate to the KDC leveraging the configured keytab and principal.
atlas.authentication.keytab- the path to the keytab file.
atlas.authentication.principal- the principal to use for authenticating to the KDC. The principal is generally of the form "user/host@realm". You may use the '_HOST' token for the hostname and the local hostname will be substituted in by the runtime (e.g. "Atlas/_HOST@EXAMPLE.COM").
Next is authorization. Authorization for Atlas can be configured either via configuration file (probably not a good path for production ops) or through Apache Ranger. Ranger is an authorization system that has all of the required capabilities to integrate and use LDAP or AD as the credential store of record. Once you integrate Ranger with your LDAP store, you will be able to create policies on all of the users and groups in your organization. All you need to do after that is to configure the Ranger Atlas service with policies that reflect the permission you wish to grant or forbid to users registered in your LDAP or AD.
Have you gone through the below documentation? This talks about how to setup LDAP and AD for atlas.
This assumes that you have LDAP/AD server configured and running.
My question is make ldaps work. At the moment, ldap works fine in my customer environment. But ldaps://xxx:636 doesn't. Need to find a way to configure it.
The response from @Vadim Vaks doen't address the original question and is misleading.
atlas.authentication.method.file = true/false,
atlas.authentication.method.ldap<code> = true/false,
atlas.authentication.method.kerberos<code> = true/false
The mentioned values "simple|kerberos" are for the "Service Authentication Method" which is related to the identity used by the Atlas service to run and to interact with other cluster services. This is a reasonable confusion because the properties for this configuration have names which are very similar to the previous ones
atlas.authentication.[method/keytab/principal] , but this has little to do with the question. For more details see the following links:
Regarding to the real question, this article seems to be the answer:
It's not mentioned in the article but you will have also to chante your LDAP URL:
atlas.authentication.method.ldap.url = ldaps://authserv.ict4v.org:636
because it seems Apache Atlas (like most of the Hadoop components) don't fully support TLS yet, but only old LDAP over SSL (LDAPS).