Support Questions
Find answers, ask questions, and share your expertise

What are Ranger user groups and why do they not map?

Explorer

I have installed the HDP sandbox HDP-3.0.1.0 (3.0.1.0-187) using Docker and Kerberized the cluster. 

 

I also installed a test LDAP server and configured it to sync with Ranger.

 

Users are showing up (using inetOrgPerson), and the `ou` attribute value from LDAP is shown in the `groups` column in Ranger.

 

I altered the `core-site.xml` file to the best of my knowledge (used the /etc/hadoop/3.0.1.0-187/0/core-site.xml file).

 

There is no actual implementation for the following values:
- hadoop.security.group.mapping.ldap.search.filter.group

- hadoop.security.group.mapping.ldap.search.attr.group.name

 

 

 

<property>
<name>hadoop.security.group.mapping</name>
<value>org.apache.hadoop.security.LdapGroupsMapping</value>
</property>

<property>
<name>hadoop.security.group.mapping.ldap.bind.user</name>
<value>cn=admin,dc=customdomain,dc=com</value>
</property>

<property>
<name>hadoop.security.group.mapping.ldap.bind.password</name>
<value>mypassword</value>
</property>

<property>
<name>hadoop.security.group.mapping.ldap.url</name>
<value>ldap://myldapserver:389/</value>
</property>

<property>
<name>hadoop.security.group.mapping.ldap.base</name>
<value></value>
</property>

<property>
<name>hadoop.security.group.mapping.ldap.search.filter.user</name>
<value>(&amp;(|(objectclass=person)(objectclass=inetOrgPerson))(cn={0}))</value>
</property>

<property>
<name>hadoop.security.group.mapping.ldap.search.filter.group</name>
<value></value>
</property>

<property>
<name>hadoop.security.group.mapping.ldap.search.attr.member</name>
<value>ou</value>
</property>

<property>
<name>hadoop.security.group.mapping.ldap.search.attr.group.name</name>
<value></value>
</property>

 

 

 

I ran the hdfs dfsadmin -refreshUserToGroupsMappings command successfully.

 

However when I run hdfs groups it just shows:

myuser@MYCUSTOMDOMAIN.COM

 

I'm assuming that the Kerberos principal (myuser@MYCUSTOMDOMAIN) should be the same as the LDAP cn for the inetOrgPerson (cn=myuser@MYCUSTOMDOMAIN.COM)

 

I must be missing something but it's not really clear what...

1 REPLY 1

Explorer

I'm assuming that the Kerberos principal (myuser@MYCUSTOMDOMAIN) should be the same as the LDAP cn for the inetOrgPerson (cn=myuser@MYCUSTOMDOMAIN.COM)


I made a subtle mistake here. It should read:

Kerberos principal = myuser@MYCUSTOMDOMAIN.COM

I tried both LDAP variations:

  1. cn=myuser@MYCUSTOMDOMAIN.COM,dc=mycustomdomain,dc=com
  2. cn=myuser,dc=mycustomdomain,dc=com