Just wanted to know if it is possible to integrate HDFS and other CDH services with LDAP without Kerberizing the setup.
For example can I import a set of users from LDAP and add them to various groups in Hue and HDFS in order to control access?
I do not want to define my hdfs groups in LDAP and import them into hdfs, and I want to do access control for a group and not for individuals.
Thanks for your response.
I did see this one before, but this one seems to be focused on ldap integration of hue. I am looking at a more end to end solution :(
These are the things I would like to perform:
1. Create various groups in hue. This is possible as of today.
2. Should be able to map these groups to hdfs and mapred groups.
3. Assign space/name quota and queues to these groups.
4. Assign various application permission to these groups. This is also possible as of today.
5. Import users from my existing directory server and add them to various hue groups (possible today).
6. These users will be restricted by the quotas and queues assigned to their group and also the permissions to individual apps.
7. I am talking about a pure web UI based access to all services. No ssh to any host on the cluster, except for admin purposes.
8. All of these without kerberizing our cluster.
Question is how to perform step 2?
#2 if you want to do this, you need to import the users from LDAP, then manually add them to your Hue groups (it is for this it is easier to re-use LDAP groups).
Thanks for the response. I think that is exactly what I want to do. Import users from ldap, manually assign them to hue groups. I don't want to be dependent on ldap groups, because those are influenced by a much larger org structure as compared to the number of users of hdfs.
My question therefore boils down to:
- when create a group in hue, and add users to this group, does this automatically reflect in hdfs?
- or alternately create a group in hdfs first, and is there a way to get that in hue, so that I can assign users to it?
Then I think I can create a directory in hdfs chown to some ldap user from this group and give all access to the group itself.
My expectation is that we should not be required to open up any service other than hue, for users to be able to leverage our hdfs.