I have installed the HDP sandbox HDP-3.0.1.0 (3.0.1.0-187) using Docker and Kerberized the cluster.
I also installed a test LDAP server and configured it to sync with Ranger.
Users are showing up (using inetOrgPerson), and the `ou` attribute value from LDAP is shown in the `groups` column in Ranger.
I altered the `core-site.xml` file to the best of my knowledge (used the /etc/hadoop/3.0.1.0-187/0/core-site.xml file).
There is no actual implementation for the following values:
- hadoop.security.group.mapping.ldap.search.filter.group
- hadoop.security.group.mapping.ldap.search.attr.group.name
<property>
<name>hadoop.security.group.mapping</name>
<value>org.apache.hadoop.security.LdapGroupsMapping</value>
</property>
<property>
<name>hadoop.security.group.mapping.ldap.bind.user</name>
<value>cn=admin,dc=customdomain,dc=com</value>
</property>
<property>
<name>hadoop.security.group.mapping.ldap.bind.password</name>
<value>mypassword</value>
</property>
<property>
<name>hadoop.security.group.mapping.ldap.url</name>
<value>ldap://myldapserver:389/</value>
</property>
<property>
<name>hadoop.security.group.mapping.ldap.base</name>
<value></value>
</property>
<property>
<name>hadoop.security.group.mapping.ldap.search.filter.user</name>
<value>(&(|(objectclass=person)(objectclass=inetOrgPerson))(cn={0}))</value>
</property>
<property>
<name>hadoop.security.group.mapping.ldap.search.filter.group</name>
<value></value>
</property>
<property>
<name>hadoop.security.group.mapping.ldap.search.attr.member</name>
<value>ou</value>
</property>
<property>
<name>hadoop.security.group.mapping.ldap.search.attr.group.name</name>
<value></value>
</property>
I ran the hdfs dfsadmin -refreshUserToGroupsMappings command successfully.
However when I run hdfs groups it just shows:
myuser@MYCUSTOMDOMAIN.COM
I'm assuming that the Kerberos principal (myuser@MYCUSTOMDOMAIN) should be the same as the LDAP cn for the inetOrgPerson (cn=myuser@MYCUSTOMDOMAIN.COM)
I must be missing something but it's not really clear what...