Support Questions

Find answers, ask questions, and share your expertise

Problem with refresh HDFS User-Group mappings with AD on Kerberized cluster

avatar
Master Collaborator

Following the security lab and reach the following step

https://github.com/HortonworksUniversity/Security_Labs#refresh-hdfs-user-group-mappings

Run into problem refresh the user-group mapping from AD

[root@qwang-hdp0 ~]# sudo sudo -u hdfs kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-qi
[root@qwang-hdp0 ~]# sudo sudo -u hdfs hdfs dfsadmin -refreshUserToGroupsMappings
Refresh user to groups mapping successful

Then kinit to hr1 user and check the user-group mapping, it doesn't seems to sync correctly for hdfs, hdfs group command not returning the rigth group, where yarn rmadmin is fine.

[root@qwang-hdp0 ~]# kinit hr1
Password for hr1@EXAMPLE.COM:
[root@qwang-hdp0 ~]# hdfs groups
hr1@EXAMPLE.COM :
[root@qwang-hdp0 ~]# yarn rmadmin -getGroups hr1
16/11/03 01:30:36 INFO client.RMProxy: Connecting to ResourceManager at hdp1.example.com/172.xx.xxx.xxx:8141
hr1 : domain_users hadoop-users hr
[root@qwang-hdp0 ~]# id hr1
uid=1960401170(hr1) gid=1960400513(domain_users) groups=1960400513(domain_users),1960401154(hr),1960401151(hadoop-users)

The hdfs group is not matching to the AD settings. and ldapsearch confirm the AD setting is there

[root@qwang-hdp0 ~]# ldapsearch -h ad01.field.hortonworks.com -p 389 -D "binduser@example.com" -W -b "DC=field,DC=my_org,DC=com" "(sAMAccountName=hr1)"
Enter LDAP Password:
...
memberOf: CN=hr,OU=CorpUsers,DC=field,DC=my_org,DC=com
memberOf: CN=hadoop-users,OU=CorpUsers,DC=field,DC=

my_org,DC=com

...

Could you suggest what is going wrong and what to do to trouble shoot/correct the issue

1 ACCEPTED SOLUTION

avatar

It seems that HDFS is not synching your groups. Try restarting the cluster to see if that helps.

View solution in original post

1 REPLY 1

avatar

It seems that HDFS is not synching your groups. Try restarting the cluster to see if that helps.