Support Questions
Find answers, ask questions, and share your expertise

User group information in Kerberos Token

Solved Go to solution

User group information in Kerberos Token

Hi,

When a user try to read a file from HDFS in a Kerberised cluster, he contacts NN and presents its token. I am trying to understand how the user's groups are checked against Ranger policies.

Does Kerberos token contains the groups the user belongs to?

Or does ranger looks to the user/group mapping? If ranger does this, is it internal or through LDAP?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: User group information in Kerberos Token

@Houssam Manik @Chethana Krishnakumar

Mapping between users and groups is not done at Ranger level. It's done by the Hadoop Group Mapping . As you can see in the link, it's a prerequisite for Ranger installation.

So that's correct that user/groups get synchronized in Ranger and can be used to create policies. However, at request time, Hadoop Group Mapping is used to map user to groups and not mapping in Ranger. Look at this thread: https://community.hortonworks.com/questions/2108/ranger-group-policy-not-being-applied-to-the-users....

View solution in original post

5 REPLIES 5

Re: User group information in Kerberos Token

Contributor

@Houssam Manik

User/Group Sync is a utility provided to enable synchronization of users and groups from OS/LDAP/AD. Once the user information is available on ranger, the same can be used to create policies.

Re: User group information in Kerberos Token

Thanks @Chethana Krishnakumar.

So, I understand that user/group information is already in Ranger after the sync, it will used to authorize/deny access for each request. So it's important to have fresh data in Ranger. How synchronization is kept between Ranger and LDAP? manual ? scheduled ? realtime ?

Re: User group information in Kerberos Token

Contributor

Usersync can be configured to sync at regular intervals for LDAP. By default the value is

SYNC_INTERVAL : 5 ## synchronizing users every 5 minutes seems to be a good value

More details on the properties can be found here

Re: User group information in Kerberos Token

@Houssam Manik @Chethana Krishnakumar

Mapping between users and groups is not done at Ranger level. It's done by the Hadoop Group Mapping . As you can see in the link, it's a prerequisite for Ranger installation.

So that's correct that user/groups get synchronized in Ranger and can be used to create policies. However, at request time, Hadoop Group Mapping is used to map user to groups and not mapping in Ranger. Look at this thread: https://community.hortonworks.com/questions/2108/ranger-group-policy-not-being-applied-to-the-users....

View solution in original post

Re: User group information in Kerberos Token

Thanks for clarifying @Abdelkrim Hadjidj

Indeed, this is different from what I understood from Chethana response. Can someone else confirm where users/group mapping is done ? Ranger or Hadoop service ?