Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

What is the x_service_config_map table actually used for in Ranger?

Highlighted

What is the x_service_config_map table actually used for in Ranger?

Explorer

What is the x_service_config_map table actually used for in Ranger?

What does it harm if a value (like auth_to_local) can't be stored in this table because it is too long?

7 REPLIES 7
Highlighted

Re: What is the x_service_config_map table actually used for in Ranger?

@Vincent Romeo

this table is used to store the Ranger service/repo details, for ex. dfs.namenode.kerberos.principal,hadoop.rpc.protection etc.

in secure cluster if auth_to_local is not store in this table then some of the functionality will get impacted for ex. there can be some permission issues

and one more thing which version of ranger are you using.

because same kind of issue was seen in ranger 0.5.0 and it was fixed in the same version.

https://issues.apache.org/jira/browse/RANGER-505

Highlighted

Re: What is the x_service_config_map table actually used for in Ranger?

Explorer

Thx, @dsharma.

I'm aware of that Jira.

HDP 2.4.2, Ranger 0.5.0.2.4.

We exceed the 4k characters currently supported. (Long story.)

Curious--is each component in the hadoop stack on it's own to implement auth_to_local? (That would explain why I haven't been able to find clear documentation on when/where auth_to_local mapping actually happens when various types jobs/queries are submitted.)

Highlighted

Re: What is the x_service_config_map table actually used for in Ranger?

Highlighted

Re: What is the x_service_config_map table actually used for in Ranger?

Explorer
@dsharma

Syntax isn't a problem. Underlying issues force us to have a separate rule for each user, for now.

Highlighted

Re: What is the x_service_config_map table actually used for in Ranger?

can you please provide your AUTH_TO_ROLE mapping , we should have separate rule for not for each user but for each service user for ex. hbase,hive & for hdfs & yarn we should have mapping for nn,dn,nm,jhs etc. so I dont think it should become that large

Highlighted

Re: What is the x_service_config_map table actually used for in Ranger?

Explorer

To clarify, what seems poorly documented is how "auth_to_local" is actually used by components in the hadoop stack, not where the rules are defined. If one were to try to diagram the chain of events kicked off if a user submits a hive query thru beeline, or runs a pig script, or even runs hdfs dfs ..., it's unclear (to me at least) when in the "flow" the auth_to_local is used, and how that flow is affected by Ranger being in the mix (or not)....

Highlighted

Re: What is the x_service_config_map table actually used for in Ranger?

So as we know Auth_to_local is there to map kerberos principal to user , so lets say you have bulk of user principal stored in you AD or MIT kerberos , and now you authenticate using those principal then in hadoop world whether it is any component, that principal gets converted to the user ( that actually will perform the task) based on the mapping defined in auth_to_local,

Don't have an account?
Coming from Hortonworks? Activate your account here