Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

User group information in Kerberos Token

Labels:
avatar
author-rank houssam_manik
Contributor

Created ‎10-06-2016 10:49 AM

Hi,

When a user try to read a file from HDFS in a Kerberised cluster, he contacts NN and presents its token. I am trying to understand how the user's groups are checked against Ranger policies.

Does Kerberos token contains the groups the user belongs to?

Or does ranger looks to the user/group mapping? If ranger does this, is it internal or through LDAP?

3,827 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank ahadjidj author-rank
Guru

Created ‎10-06-2016 10:26 PM

@Houssam Manik @Chethana Krishnakumar

Mapping between users and groups is not done at Ranger level. It's done by the Hadoop Group Mapping . As you can see in the link, it's a prerequisite for Ranger installation.

So that's correct that user/groups get synchronized in Ranger and can be used to create policies. However, at request time, Hadoop Group Mapping is used to map user to groups and not mapping in Ranger. Look at this thread: https://community.hortonworks.com/questions/2108/ranger-group-policy-not-being-applied-to-the-users....

View solution in original post

2,819 Views
5 REPLIES 5

avatar
author-rank ckrishnakumar
Rising Star

Created ‎10-06-2016 01:28 PM

@Houssam Manik

User/Group Sync is a utility provided to enable synchronization of users and groups from OS/LDAP/AD. Once the user information is available on ranger, the same can be used to create policies.

2,819 Views

avatar
author-rank houssam_manik
Contributor

Created ‎10-06-2016 03:41 PM

Thanks @Chethana Krishnakumar.

So, I understand that user/group information is already in Ranger after the sync, it will used to authorize/deny access for each request. So it's important to have fresh data in Ranger. How synchronization is kept between Ranger and LDAP? manual ? scheduled ? realtime ?

2,819 Views
0 Kudos

avatar
author-rank ckrishnakumar
Rising Star

Created ‎10-06-2016 03:57 PM

Usersync can be configured to sync at regular intervals for LDAP. By default the value is

SYNC_INTERVAL : 5 ## synchronizing users every 5 minutes seems to be a good value

More details on the properties can be found here

2,819 Views
0 Kudos

avatar
author-rank ahadjidj author-rank
Guru

Created ‎10-06-2016 10:26 PM

@Houssam Manik @Chethana Krishnakumar

Mapping between users and groups is not done at Ranger level. It's done by the Hadoop Group Mapping . As you can see in the link, it's a prerequisite for Ranger installation.

So that's correct that user/groups get synchronized in Ranger and can be used to create policies. However, at request time, Hadoop Group Mapping is used to map user to groups and not mapping in Ranger. Look at this thread: https://community.hortonworks.com/questions/2108/ranger-group-policy-not-being-applied-to-the-users....

2,820 Views

avatar
author-rank houssam_manik
Contributor

Created ‎10-06-2016 10:34 PM

Thanks for clarifying @Abdelkrim Hadjidj

Indeed, this is different from what I understood from Chethana response. Can someone else confirm where users/group mapping is done ? Ranger or Hadoop service ?

2,819 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements