Created 02-12-2016 01:50 PM
HI,
I have a requirement where we have to assign our CS queues based on ad groups.
For example our ad users are using cluster and running jobs under defined queue but I want that is there any way to configure their AD group with queue so that each member of that queue will go only to a specific queue.
Created 02-15-2016 08:14 PM
uid=29800018(neeraj) gid=29800018(neeraj) groups=29800018(neeraj),29800017(hdpadmin)
[root@phdns02 scripts]#
See this
Created 02-12-2016 01:55 PM
For this you have to make sure that Ambari (If you are using CS view) is in synch with AD. You have to import users and groups that you want to map with queues.
See this demo on queue mapping.
As long as user id matches with CS setup, queues will be in effect.
Created 02-15-2016 01:59 PM
Hello @Neeraj Sabharwal: Thanks for the above explanation. I have configured CS view which is working fine for local unix group and users. But when I configured for Ldap or AD group it does not work and fail with below error.
org.apache.tez.dag.api.TezException: org.apache.hadoop.yarn.exceptions.YarnException: Failed to submit application_1455533826426_0018 to YARN : Failed to submit application application_1455533826426_0018 submitted by user saurkuma reason: No groups found for user saurkuma
Created 02-15-2016 02:02 PM
@Saurabh Kumar See this "submitted by user saurkuma reason: No groups found for user saurkuma"
Start with user level mapping and then see if your user is part of the group or not.
Created on 02-15-2016 02:27 PM - edited 08-19-2019 01:27 AM
@Neeraj Sabharwal: Yes I am a part of the AD group(adhdpadm) and when I configure u:saurkuma:default then it is working fine but when I do g:adhdpadm:default then it is failing with above error.
Created 02-15-2016 02:31 PM
@Saurabh Kumar https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.2/bk_yarn_resource_mgt/content/default_queue_...
My only concern is if user is part of that group or not.
<property> <name>yarn.scheduler.capacity.queue-mappings</name> <value>u:maria:engineering,g:webadmins:weblog</value> </property>
Created 02-15-2016 04:40 PM
Hi @Neeraj Sabharwal: when configured ad group mapping then I don't defined any user mapping.And yes user saurkuma is a part of adhdpadm group.
My first point is does it supports ldap groups(Active directory) or not ?
I checked with local unix groups and found them working.
Created 02-15-2016 04:58 PM
Let me run a test And get back to you .
Created 02-15-2016 08:14 PM
uid=29800018(neeraj) gid=29800018(neeraj) groups=29800018(neeraj),29800017(hdpadmin)
[root@phdns02 scripts]#
See this
Created 02-15-2016 08:15 PM
@Saurabh Kumar You can see that I have mapped hdpadmin group to queue hadoopadmin
user neeraj is part of the group and when I run yarn job, it executes against hdpadmin queue
[root@phdns02 ~]# cat /etc/group | grep hdpadmin
[root@phdns02 ~]# su - neeraj
su: warning: cannot change directory to /home/neeraj: No such file or directory
-sh-4.1$ id
exituid=29800018(neeraj) gid=29800018(neeraj) groups=29800018(neeraj),29800017(hdpadmin) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.1$ exit
logout
[root@phdns02 ~]# id neeraj
uid=29800018(neeraj) gid=29800018(neeraj) groups=29800018(neeraj),29800017(hdpadmin)
[root@phdns02 ~]#
Created 02-17-2016 07:22 AM
@Neeraj Sabharwal: Thanks a lot for your testing.
I see you have tested it for a unix user(neeraj) who is part of a unix group(hdpadmin).Which is working fine for me.
But my requirement is we have some users where they don't connect to server,they directly use some tools (like Aqua Data Studio or SQL client or Teradata client) and we validate them by login to our cluster by their LDAP(active directory) with jdbc string or though beeline.
And when they submit their job then they have to set property mapred.job.queue.name and run their jobs.
So my point is can we configure CS view for ldap or AD groups as well ?
I tried it for groups but getting below error. But when I tried for user specific then it is working(as expected)
g:adhdpadm:batch
ERROR : Failed to execute tez graph.
org.apache.tez.dag.api.TezException: org.apache.hadoop.yarn.exceptions.YarnException: Failed to submit application_1455533826426_0025 to YARN : Failed to submit application application_1455533826426_0025 submitted by user saurkuma reason: No groups found for user saurkuma
u:saurkuma:batch: working
Created 02-17-2016 10:41 AM
@Saurabh Kumar Give me output of id saurkuma
Created 02-17-2016 10:05 AM
You are incorrect. User neeraj and group hdpadmin is not in UNIX. It's in AD
Look at my comments carefully 🙂
Output of /etc/group and /etc/passwd
Created 02-17-2016 12:05 PM
@Neeraj Sabharwal: It might be that same user neeraj is also part of Unix and AD. So thats why it is working. But in my case we have do not have same user in unix group.
please find the below output.
[s0998dnz@*********001 ~]$ id saurkuma
id: saurkuma: No such user
Created 02-17-2016 12:07 PM
No , neeraj and group is in AD
You can see the output
Also, you need to look into syncing up your server with ad
Use nslcd or sssd
Created on 02-19-2016 12:06 PM - edited 08-19-2019 01:27 AM
@Saurabh Kumar following up on this.
user neeraj and group hdpadmin is in LDAP
they dont exists in /etc/passwd and /etc/group
Created 02-22-2016 12:32 PM
@Neeraj Sabharwal: Today I noticed that it is not working as I don't have sssd running and it is not configured also. And I feel it is mandatory for group mapping with hdfs.
I tried to configure sssd with ldap but did not get success, so I need your hep to configure sssd, do you have any doc or instruction to do that ?
Created 03-14-2016 07:55 PM
@Saurabh Kumar That's exactly my point was 🙂
I use this https://github.com/hortonworks-gallery/ambari-nslcd-service
So..As you can see in the demo, we can map AD groups.
https://community.hortonworks.com/articles/17135/yarn-queues-and-ad-group-mapping.html