Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Spark-submit - mapping of principal

avatar
author-rank Jarinek
Rising Star

Created ‎10-04-2022 12:47 PM

Hello,
on our system CDP 7.1.7, we have use konfiguration parameter
kafka.properties_role_safety_valve
add set attribute
sasl.kerberos.principal.to.local.rules
to map ActiveDirectory principals to entities created in ranger.

In our system, the AD user have a prefix e.g. xjohndoe@SAMPLE.COM maps to a ranger entity "johndoe"

During a spark-submit (over yarn), we also need to pass a principal, however as there is no such mapping, we obtain an error saying the unix user "xjohndoe" does not exist. This is true indeed, we eed to map it to "johndoe".

 

Ist there any possibility to map principals during spark-spark-submit possibly similarly to sasl.kerberos.principal.to.local.rules in kafka or any other possibility?

Best regards
Jaro

1,270 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank mszurap author-rank
Guru

Created ‎10-05-2022 01:44 AM

Hi @Jarinek , Yes, in CDH/CDP every service which depends on HDFS will inherit the HDFS configuration "auth-to-local rules", in CM in HDFS Configuration see "Additional Rules to Map Kerberos Principals to Short Names".

Kafka does not need HDFS so that's why it has a separate such configuration.

See the documentation how to set it:

https://docs.cloudera.com/cdp-private-cloud-base/7.1.7/security-kerberos-authentication/topics/cm-se...

Best regards

 Miklos

View solution in original post

1,236 Views
0 Kudos
2 REPLIES 2

avatar
author-rank mszurap author-rank
Guru

Created ‎10-05-2022 01:44 AM

Hi @Jarinek , Yes, in CDH/CDP every service which depends on HDFS will inherit the HDFS configuration "auth-to-local rules", in CM in HDFS Configuration see "Additional Rules to Map Kerberos Principals to Short Names".

Kafka does not need HDFS so that's why it has a separate such configuration.

See the documentation how to set it:

https://docs.cloudera.com/cdp-private-cloud-base/7.1.7/security-kerberos-authentication/topics/cm-se...

Best regards

 Miklos

1,237 Views
0 Kudos

avatar
author-rank Jarinek
Rising Star

Created ‎10-06-2022 07:15 AM

Great, thanks

1,210 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements