Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Ranger, Knox integration with Multiple Forest AD's

avatar
author-rank jknulst author-rank
Super Collaborator

Created ‎12-22-2016 09:38 AM

I came to know that AD can be set up with multiple forests. Forest are AD lingo for a container at a level even higher then the Domain Controllers. This is not uncommon in large enterprise AD deployments ( see : MS_Technet)

So my question is:

-Do any of the HDP stack security features (Knox and Ranger) support this multi forest setup of AD (with the aim of synching or logging on to HDP from any one of those forests) and how?

1,540 Views
1 ACCEPTED SOLUTION

avatar
author-rank myoung
Super Guru

Created ‎12-22-2016 07:06 PM

@Jasper

As you mention, a Forest is just a container for multiple domains. If there is a trust relationship in place, then you should be able to authenticate from Domain1 and access resources in Domain2. You can also authenticate against Domain1 and query Domain2.

I believe the HDP stack security components can authenticate to a domain within a Forest without any issues as the Forest should be transparent to HDP.

Having said that, I believe you can only specify a single domain in the configuration options for the HDP components. While you can query multiple domains using tools like "ldapsearch", I don't think you can currently do so using HDP.

View solution in original post

1,070 Views
0 Kudos
2 REPLIES 2

avatar
author-rank myoung
Super Guru

Created ‎12-22-2016 07:06 PM

@Jasper

As you mention, a Forest is just a container for multiple domains. If there is a trust relationship in place, then you should be able to authenticate from Domain1 and access resources in Domain2. You can also authenticate against Domain1 and query Domain2.

I believe the HDP stack security components can authenticate to a domain within a Forest without any issues as the Forest should be transparent to HDP.

Having said that, I believe you can only specify a single domain in the configuration options for the HDP components. While you can query multiple domains using tools like "ldapsearch", I don't think you can currently do so using HDP.

1,071 Views
0 Kudos

avatar
author-rank ahallam
Expert Contributor

Created ‎02-09-2017 08:33 AM

FYI.

"Multiple Forest" is supported - but not "Cross Forest" AD.

If you have "Cross Forest" AD, Ranger may able to get users from the right branch but not groups or vice versa

1,070 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera DataFlow 2.9 now supports building GenAI pipelines ...
What's New @ Cloudera
Accelerate Data Scientist Productivity with Cloudera Copilot...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
View More Announcements