What is the x_service_config_map table actually used for in Ranger?
What does it harm if a value (like auth_to_local) can't be stored in this table because it is too long?
this table is used to store the Ranger service/repo details, for ex. dfs.namenode.kerberos.principal,hadoop.rpc.protection etc.
in secure cluster if auth_to_local is not store in this table then some of the functionality will get impacted for ex. there can be some permission issues
and one more thing which version of ranger are you using.
because same kind of issue was seen in ranger 0.5.0 and it was fixed in the same version.
I'm aware of that Jira.
HDP 2.4.2, Ranger 0.5.0.2.4.
We exceed the 4k characters currently supported. (Long story.)
Curious--is each component in the hadoop stack on it's own to implement auth_to_local? (That would explain why I haven't been able to find clear documentation on when/where auth_to_local mapping actually happens when various types jobs/queries are submitted.)
can you please provide your AUTH_TO_ROLE mapping , we should have separate rule for not for each user but for each service user for ex. hbase,hive & for hdfs & yarn we should have mapping for nn,dn,nm,jhs etc. so I dont think it should become that large
To clarify, what seems poorly documented is how "auth_to_local" is actually used by components in the hadoop stack, not where the rules are defined. If one were to try to diagram the chain of events kicked off if a user submits a hive query thru beeline, or runs a pig script, or even runs hdfs dfs ..., it's unclear (to me at least) when in the "flow" the auth_to_local is used, and how that flow is affected by Ranger being in the mix (or not)....
So as we know Auth_to_local is there to map kerberos principal to user , so lets say you have bulk of user principal stored in you AD or MIT kerberos , and now you authenticate using those principal then in hadoop world whether it is any component, that principal gets converted to the user ( that actually will perform the task) based on the mapping defined in auth_to_local,