Support Questions
Find answers, ask questions, and share your expertise

HBase RegionServer LdapGroupsMapping timeout

Expert Contributor


My configuration:

HDP 2.5.1, Ambari 2.4.2, 7 nodes (2x Master, 5x Slaves), Centos 6, Secured (Kerberos)

I have configured LDAP group mapping. When I tried to "scan" HBase table I got "timeout error". From the logs:

 "WARN LdapGroupsMapping: Failed to get groups for user <my_active_directory_user> (retry=0)"

After 3 retries I got the "timeout error" in HBase shell. Every try takes 60 seconds by default which is 180 seconds in total, while HBase timeout was set to 60 seconds I believe. I changed the HBase timeout to 240 seconds, and now every "scan" operation is done successfully after 180 seconds (LDAP groups still can not be mapped, that is just a WARN causes HBase timeout). I know I can change group mapping timeout to lets say 2 seconds, then I will obtain my result in 6 seconds, but that is not a good solution.

The cause of the problem is that my RegionServers (for secure reason) are configured to not reach Active Directory.

Do you have any ideas to workaround this? Except changing the network layer.


Super Guru

@Edgar Daeds

I want to make sure I understand this correctly. Please let me know if I am wrong.

1. You have configured LDAP group mapping.

2. Your HBase Region server cannot reach the LDAP server due to security reasons.

3. Once LDAP timeout expires, your query works.

If my understanding is correct, then you need to disable LDAP integration until you can actually query the LDAP server for group mappings. What's the point in configuring LDAP when you cannot actually reach out to it?

Expert Contributor


Thank you for answer.

That is correct.

The strange thing is that my Region server cannot reach the AD server (ping - timeout; and WARN Failed to get groups for user), but "hdfs groups <ad_user_name>" command returns groups correctly and I believe that group policies (I am using Ranger) are working correctly.

So if I disable LDAPGroupMapping I will not be able to grant/revoke access per group, only per user.

; ;