Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Ranger Plugins with Kerberos: Users for lookup?

Labels:
avatar
author-rank benhadoop
Expert Contributor

Created ‎06-30-2016 10:34 AM

Hi community,

working through the documentation, I stumbled about some pages regarding Ranger Plugins when enabling Kerberos (Link).

The documentation states the requirement to create some extra users for lookup purposes (such as rangerhdfslookup) for HDFS, HBase, Hive and Knox. The HDP documentation is the only place I found this information.

Is this a mandatory requirement? Why is this user needed?

Hope you can clear this up for me.

Best regards, Benjamin

1,823 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank benhadoop
Expert Contributor

Created ‎06-30-2016 10:46 AM

Oh well, I think I found the answer in the community:

"If your cluster is kerberized you'll need one more account usually called "rangerlookup" to facilitate autocompletion of databases, tables etc, with a headless principal and a password (keytab unsupported). The docs talk about a rangerlookup account per service (hdfs, hbase, etc.) but I use only one." (Source: https://community.hortonworks.com/questions/21818/can-proxyuser-group-be-redefined-as-something-else...

Other helpful entries:

https://community.hortonworks.com/questions/12039/ranger-ui-for-hive-plug-in-auto-complete-of-tables...

https://community.hortonworks.com/questions/21145/autocompletion-of-names-not-working-in-ranger.html

https://community.hortonworks.com/questions/432/permissions-necessary-for-the-user-required-to-con.h...

View solution in original post

1,260 Views
0 Kudos
1 REPLY 1

avatar
author-rank benhadoop
Expert Contributor

Created ‎06-30-2016 10:46 AM

Oh well, I think I found the answer in the community:

"If your cluster is kerberized you'll need one more account usually called "rangerlookup" to facilitate autocompletion of databases, tables etc, with a headless principal and a password (keytab unsupported). The docs talk about a rangerlookup account per service (hdfs, hbase, etc.) but I use only one." (Source: https://community.hortonworks.com/questions/21818/can-proxyuser-group-be-redefined-as-something-else...

Other helpful entries:

https://community.hortonworks.com/questions/12039/ranger-ui-for-hive-plug-in-auto-complete-of-tables...

https://community.hortonworks.com/questions/21145/autocompletion-of-names-not-working-in-ranger.html

https://community.hortonworks.com/questions/432/permissions-necessary-for-the-user-required-to-con.h...

1,261 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements