Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

How to promote a principal in IPA to a user for a use case with Ranger, KMS, TDE and HBase?

Labels:
avatar
author-rank dstreev author-rank
Guru

Created ‎09-25-2015 06:24 PM

Recently use TDE to encrypt an HBase installation and found some interesting request for Key access by the Region Servers.

Out of the box, we locked down the Key permissions to allow only the "hbase" user, since this was the user accessing the files by way of the Region Servers. During normal operations, we saw additional requests from the "nn" user and later from "hdfs".

Well, "hdfs" is a user, that's fine. But "nn" is not. "nn" was setup as a principal per host for Kerberos (in IPA).

We got around this by actually creating an "nn" user in IPA and granting them rights to the Key in Ranger KMS. Was that the best way?

And I'm a little curious "how" the "nn" principal expressed itself as a user in hdfs operations.

1,402 Views
1 ACCEPTED SOLUTION

avatar
author-rank sneethiraj
Contributor

Created ‎09-28-2015 10:00 PM

If the service accounts (such as nn, hbase, hdfs) need to access the hadoop data and/or kms-key, you must provide necessary permission for these users in ranger and these (service) users must be available in ranger to add them as part of the security access policies. If your usersync process does not bring these users from Enterprise Directory (such as LDAP, AD), you can add these users in Ranger by login as admin user and use the "Add New User" option under "Settings -> User/Groups" menu options.

View solution in original post

1,107 Views
2 REPLIES 2

avatar
author-rank sneethiraj
Contributor

Created ‎09-28-2015 10:00 PM

If the service accounts (such as nn, hbase, hdfs) need to access the hadoop data and/or kms-key, you must provide necessary permission for these users in ranger and these (service) users must be available in ranger to add them as part of the security access policies. If your usersync process does not bring these users from Enterprise Directory (such as LDAP, AD), you can add these users in Ranger by login as admin user and use the "Add New User" option under "Settings -> User/Groups" menu options.

1,108 Views

avatar
author-rank bganesan
Rising Star

Created ‎09-30-2015 01:11 AM

The question is why is "nn" user trying to access data?

1,107 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements