Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Can Atlas integrate with ldaps?

Highlighted

Can Atlas integrate with ldaps?

Contributor

Hi,

I'm integrate Atlas with AD. ldap works fine, but ldaps doesn't work.

Anyone did this before?

Regards

6 REPLIES 6
Highlighted

Re: Can Atlas integrate with ldaps?

Rising Star

Are you trying to use Active Directory or Open LDAP over SSL? Can you list out the steps you took to configure LDAPS and error you got?

Highlighted

Re: Can Atlas integrate with ldaps?

Guru

@wbu

Authentication for Atlas is provided by Kerberos. To enable Kerberos you need a credential store (Either AD or MIT KDC). LDAP protocol can be used to communicate to these stores but does not store user and group information by itself.

Install and Configure KDC

Enable Kerberos

Once you enable Kerberos for the cluster, you can configure Atlas Key Tab and Principle to authenticate against the KDC.

  • atlas.authentication.method (simple|kerberos) [default: simple] - the authentication method to utilize. Simple will leverage the OS authenticated identity and is the default mechanism. 'kerberos' indicates that the service is required to authenticate to the KDC leveraging the configured keytab and principal.
  • atlas.authentication.keytab - the path to the keytab file.
  • atlas.authentication.principal - the principal to use for authenticating to the KDC. The principal is generally of the form "user/host@realm". You may use the '_HOST' token for the hostname and the local hostname will be substituted in by the runtime (e.g. "Atlas/_HOST@EXAMPLE.COM").

Next is authorization. Authorization for Atlas can be configured either via configuration file (probably not a good path for production ops) or through Apache Ranger. Ranger is an authorization system that has all of the required capabilities to integrate and use LDAP or AD as the credential store of record. Once you integrate Ranger with your LDAP store, you will be able to create policies on all of the users and groups in your organization. All you need to do after that is to configure the Ranger Atlas service with policies that reflect the permission you wish to grant or forbid to users registered in your LDAP or AD.

Configure Ranger to LDAP/AD Synch

Configure Ranger Atlas Service

Configure Resource Policies for Atlas Ranger Service

Highlighted

Re: Can Atlas integrate with ldaps?

@wbu

Have you gone through the below documentation? This talks about how to setup LDAP and AD for atlas.

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_data-governance/content/ch_hdp_data_gove...

This assumes that you have LDAP/AD server configured and running.

Re: Can Atlas integrate with ldaps?

could you please list out the steps to LDAPS you carried out? This will help in further debugging.

Highlighted

Re: Can Atlas integrate with ldaps?

Contributor

My question is make ldaps work. At the moment, ldap works fine in my customer environment. But ldaps://xxx:636 doesn't. Need to find a way to configure it.

Regards

Highlighted

Re: Can Atlas integrate with ldaps?

Expert Contributor

The response from @Vadim Vaks doen't address the original question and is misleading.

  • on one side @Wendell Bu is not asking about the supported authentication methods on Atlas; but HE says clearly he wants to use LDAP authentication and asks about the Apache Atlas support for SSL/TLS when using LDAP authentication.
  • on the other side -- if the question where about available user authentication methods in Apache Atlas -- the answer is wrong because the available user authentication methods are "File", "LDAP" and "Kerberos". These methods are configured with the three corresponding properties:
    • atlas.authentication.method.file = true/false,
    • atlas.authentication.method.ldap<code> = true/false,
    • atlas.authentication.method.kerberos<code> = true/false
    • and their corresponding subtree's properties.

The mentioned values "simple|kerberos" are for the "Service Authentication Method" which is related to the identity used by the Atlas service to run and to interact with other cluster services. This is a reasonable confusion because the properties for this configuration have names which are very similar to the previous onesatlas.authentication.[method/keytab/principal] , but this has little to do with the question. For more details see the following links:

Regarding to the real question, this article seems to be the answer:

It's not mentioned in the article but you will have also to chante your LDAP URL:

atlas.authentication.method.ldap.url = ldaps://authserv.ict4v.org:636

because it seems Apache Atlas (like most of the Hadoop components) don't fully support TLS yet, but only old LDAP over SSL (LDAPS).

Don't have an account?
Coming from Hortonworks? Activate your account here