Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

Integrate AD for User to Group mapping

Labels:
Tomas79
Master Collaborator

Created on ‎07-13-2017 02:05 AM - edited ‎09-16-2022 04:55 AM

Hi, 

 we would like to integrate an existing kerberized cluster using dedicated MIT KDC with a corporate AD for user to group mapping. For correct authorization in Sentry hadoop needs to map the user to group. 

 

The hadoop KDC is not connected/trusted with the org AD, hadoop MIT KDC has different REALM name (like PROD.CLOUDERA.NET) than AD (NICE.COMPANY.COM).

 

The goal is not PAM - so logging into linux with AD user and password, just the user/group mapping.

 

Is it possible to configure this setup? What are the options? I have read about Centrify Express but as far as I understood it maps completely everything to AD. So that would mean to migrate all the service principals from MIT KDC to AD - basically new cluster setup.  And thats not an option now.

 

Thanks!

 

 

 

 

4,010 Views
0 Kudos
1
3 REPLIES 3

mbigelow
Champion

Created ‎07-13-2017 10:05 AM

You need to look into the LDAP based group mapping feature of Hadoop. I don't think you are going to like it though.

I always recommend integrating AD at the OS level. This can be done with Certify, QAS, SSSD, etc. You would need to set up a trust between the two Kerberos realms (MIT and AD); along with integrating AD at the OS level. Then the service principals can remain in the MIT KDC but the users will be in AD. The AD user accounts and groups will be available to the OS as if they are linux accounts which will be found and used by the default group mapping mechanism of Hadoop.

"However, this provider should only be used if the required groups reside exclusively in LDAP, and are not materialized on the Unix servers. "

https://hadoop.apache.org/docs/r2.8.0/hadoop-project-dist/hadoop-common/GroupsMapping.html

"When you switch to LDAP as the group mapping provider, you must re-create these relationships within LDAP.'

https://www.cloudera.com/documentation/enterprise/5-4-x/topics/cm_sg_ldap_grp_mappings.html
3,933 Views

MikeSzymczak
New Contributor

Created ‎07-13-2017 11:01 AM

As the previous post mentions, creating additional islands of identity and then trying to integrate becomes difficult and costly. The easiest/best solution is to join the cluster nodes to Active Directory directly and maintain all users and groups there. Your service principal accounts for cluster kerberization can also be stored in a sandbox OU and be entirely maintained by Cloudera Manager. There's no need to maintain a separate MIT realm, LDAP directory or even local accounts. Centrify Server Suite Standard/Enterprise Editions provide numerous advantages over other AD bridging tools that will be relevant to your deployment including integrated command authorization for least privilege, infinite Kerberos renewal, LDAP Proxy, session auditing, SAML authentication, two-factor authentication, privileged credential management and much more.
3,928 Views
0 Kudos

Tomas79
Master Collaborator

Created ‎07-14-2017 04:02 AM

Hi MikeSzymczak,

is it possible to do that with Centrify Express as well? Join the nodes, configure the group mappings

3,912 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Product Announcements
CDP Public Cloud: May 2023 Release Summary
What's New @ Cloudera
Cloudera Operational Database (COD) provides enhancements to the --scale-type CDP CLI option
What's New @ Cloudera
Cloudera Operational Database (COD) UI supports creating a smaller cluster using a predefined Data Lake template
What's New @ Cloudera
Cloudera Operational Database (COD) supports scaling up the clusters vertically
Product Announcements
CDP Public Cloud: April 2023 Release Summary
View More Announcements