I have a requirement where we have to assign our CS queues based on ad groups.
For example our ad users are using cluster and running jobs under defined queue but I want that is there any way to configure their AD group with queue so that each member of that queue will go only to a specific queue.
Hello @Neeraj Sabharwal: Thanks for the above explanation. I have configured CS view which is working fine for local unix group and users. But when I configured for Ldap or AD group it does not work and fail with below error.
org.apache.tez.dag.api.TezException: org.apache.hadoop.yarn.exceptions.YarnException: Failed to submit application_1455533826426_0018 to YARN : Failed to submit application application_1455533826426_0018 submitted by user saurkuma reason: No groups found for user saurkuma
My only concern is if user is part of that group or not.
<property> <name>yarn.scheduler.capacity.queue-mappings</name> <value>u:maria:engineering,g:webadmins:weblog</value> </property>
Hi @Neeraj Sabharwal: when configured ad group mapping then I don't defined any user mapping.And yes user saurkuma is a part of adhdpadm group.
My first point is does it supports ldap groups(Active directory) or not ?
I checked with local unix groups and found them working.
@Saurabh Kumar You can see that I have mapped hdpadmin group to queue hadoopadmin
user neeraj is part of the group and when I run yarn job, it executes against hdpadmin queue
[root@phdns02 ~]# cat /etc/group | grep hdpadmin
[root@phdns02 ~]# su - neeraj
su: warning: cannot change directory to /home/neeraj: No such file or directory
exituid=29800018(neeraj) gid=29800018(neeraj) groups=29800018(neeraj),29800017(hdpadmin) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@phdns02 ~]# id neeraj
uid=29800018(neeraj) gid=29800018(neeraj) groups=29800018(neeraj),29800017(hdpadmin)
@Neeraj Sabharwal: Thanks a lot for your testing.
I see you have tested it for a unix user(neeraj) who is part of a unix group(hdpadmin).Which is working fine for me.
But my requirement is we have some users where they don't connect to server,they directly use some tools (like Aqua Data Studio or SQL client or Teradata client) and we validate them by login to our cluster by their LDAP(active directory) with jdbc string or though beeline.
And when they submit their job then they have to set property mapred.job.queue.name and run their jobs.
So my point is can we configure CS view for ldap or AD groups as well ?
I tried it for groups but getting below error. But when I tried for user specific then it is working(as expected)
ERROR : Failed to execute tez graph.
org.apache.tez.dag.api.TezException: org.apache.hadoop.yarn.exceptions.YarnException: Failed to submit application_1455533826426_0025 to YARN : Failed to submit application application_1455533826426_0025 submitted by user saurkuma reason: No groups found for user saurkuma
@Neeraj Sabharwal: It might be that same user neeraj is also part of Unix and AD. So thats why it is working. But in my case we have do not have same user in unix group.
please find the below output.
[s0998dnz@*********001 ~]$ id saurkuma
id: saurkuma: No such user
@Neeraj Sabharwal: Today I noticed that it is not working as I don't have sssd running and it is not configured also. And I feel it is mandatory for group mapping with hdfs.
I tried to configure sssd with ldap but did not get success, so I need your hep to configure sssd, do you have any doc or instruction to do that ?
@Saurabh Kumar That's exactly my point was 🙂
So..As you can see in the demo, we can map AD groups.