Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Spark-submit - mapping of principal

avatar
author-rank Jarinek
Rising Star

Created ‎10-04-2022 12:47 PM

Hello,
on our system CDP 7.1.7, we have use konfiguration parameter
kafka.properties_role_safety_valve
add set attribute
sasl.kerberos.principal.to.local.rules
to map ActiveDirectory principals to entities created in ranger.

In our system, the AD user have a prefix e.g. xjohndoe@SAMPLE.COM maps to a ranger entity "johndoe"

During a spark-submit (over yarn), we also need to pass a principal, however as there is no such mapping, we obtain an error saying the unix user "xjohndoe" does not exist. This is true indeed, we eed to map it to "johndoe".

 

Ist there any possibility to map principals during spark-spark-submit possibly similarly to sasl.kerberos.principal.to.local.rules in kafka or any other possibility?

Best regards
Jaro

1,469 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank mszurap author-rank
Guru

Created ‎10-05-2022 01:44 AM

Hi @Jarinek , Yes, in CDH/CDP every service which depends on HDFS will inherit the HDFS configuration "auth-to-local rules", in CM in HDFS Configuration see "Additional Rules to Map Kerberos Principals to Short Names".

Kafka does not need HDFS so that's why it has a separate such configuration.

See the documentation how to set it:

https://docs.cloudera.com/cdp-private-cloud-base/7.1.7/security-kerberos-authentication/topics/cm-se...

Best regards

 Miklos

View solution in original post

1,435 Views
0 Kudos
0
2 REPLIES 2

avatar
author-rank mszurap author-rank
Guru

Created ‎10-05-2022 01:44 AM

Hi @Jarinek , Yes, in CDH/CDP every service which depends on HDFS will inherit the HDFS configuration "auth-to-local rules", in CM in HDFS Configuration see "Additional Rules to Map Kerberos Principals to Short Names".

Kafka does not need HDFS so that's why it has a separate such configuration.

See the documentation how to set it:

https://docs.cloudera.com/cdp-private-cloud-base/7.1.7/security-kerberos-authentication/topics/cm-se...

Best regards

 Miklos

1,436 Views
0 Kudos
0

avatar
author-rank Jarinek
Rising Star

Created ‎10-06-2022 07:15 AM

Great, thanks

1,409 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements