About ravi1

ravi1 · ‎07-01-2016

I ran into an AD configuration where users are in several subdomains (say NA.EXAMPLE.COM and SA.EXAMPLE.COM). However most of the groups to which a user belongs to that we care about are in one subdomain (NA.EXAMPLE.COM). I was able to get users from multiple subdomains using CompositeGroupsMapping and creating separate LDAPGroupsMapping for each subdomain. However, I am only getting groups belonging to the same subdomain to which that user belongs to. Has anyone run into similar AD issues and how did you get around these? Overall LDAPGroupsMapping uses user input to get UserDN and then queries all the groups in the domain to see if there is a UserDN in 'member' field. We are able to get all the Groups directly from 'User' using 'memberOf'. So, worst case if nothing can be done using configuration, I was thinking of overriding doGetGroups in LDAPGroupsMaping with logic to get memberOf attributes.

ravi1 · ‎06-30-2016

If the question is data in hive, then by default hive data is UTF8, so languages that are supported with UTF8 will work out of the box. Same with HDFS.

ravi1 · ‎06-23-2016

1. If you need home directories for each of the users, then you need to create home directories. Ownership can be changed from CLI or you can set using Ranger (though I think changing from CLI is better than creating a new profile in Ranger for these things) 2. I am talking about principals here, not service users (like hdfs, hive, yarn) coming from AD (using SSSD or some other such too). So, with you setup local users are create on each node. But they still need to authenticate with your KDC. Ambari can create it for you on the OU once you give the credentials to ambari. 3. Its not mandatory to have /user/<username> for each user. We have cases where BI users how use ODBC/JDBC and don't even have login access to the nodes not needing /user/<username>. Even users that login don't need /user/<username> and could use something like /data/<group>/... to read/write to hdfs.

ravi1 · ‎06-23-2016

1. Ranger takes care of authorization. You will need something for authentication which is where kerberos and AD can come up. 2. You can set a /user/<username> in hdfs which is a user home directory. You might still need common hdfs directories where collaboration happens. 3. If you have AD, it will have kerberos. If you have write access to an OU in AD, you can create all service level principals there. So, no separate kerberos/KDC will be required. But if you don't want to create service level principals on AD, you can have local kerberos/KDC and have a one way trust with AD. 4. If you enable group based authorizations, adding users could be as easy adding user to the right group and creating a home directory for the user. 5. Ranger can take care of most authorizations and you can avoid working with ACLs.

ravi1 · ‎06-13-2016

It won't delete and recreate. So, if you mount /usr/hdp in advance, HDP will just use it

ravi1 · ‎06-02-2016

In case, you have to have edge node that a different OS, I suggest you use a manual approach by installing client packages (follow manual install document). Once installed, to get configs, you can clients on another node and download client configs. This will have some obvious overhead of keeping these configs in sync with ambari changes. Ambari Server and NN can be on the same node. Just make sure NN metadata directory, Journal Node data and zookeeper data goes into disk mounts that are not used by other services. Ambari Server, being a management console on top of hadoop can be considered non-critical. If ambari is down, and you need to restart a service, you can use the manual approach while you are working on bringing ambari server up. Unless you are using views, it will not be end users (considering cluster admins as not end users) that will be affected with ambari server going down. If you are using views, you can have multiple ambari servers running (with only views)

ravi1 · ‎06-01-2016

Lockout is not at DB level here since we are not authenticating with DB username/password but ambari username/password. So, I don't think there will be a way to lockout at DB level. It has to be implemented at ambari application level, and as @jeff pointed out, can be an enhancement

ravi1 · ‎06-01-2016

Does your BA team on windows use AD ? If so, one way trust will work. You need to configure your Kerberos server to trust AD. This way, any valid authenticated AD user will be trusted and he/she will not need another kinit from windows. You can take a look at one way trust setup here.

ravi1 · ‎06-01-2016

You can check with hadoop checknative -a to see if Snappy native is installed. Also check if you have org.apache.hadoop.io.compress.SnappyCodec in io.compression.codecs in core-site.xml

ravi1 · ‎05-31-2016

Are you using Hive CLI or Beeline/JDBC? 1. If you are using Hive CLI, then you need to control permissions on the HDFS. If you have 750 on the data in HDFS, and the user is part of the group, then the user will have only read only access. You can also user ACLs which are part of HDP 2.1.5. You can take a look at using ACLs here 2. If you are using Beeline, and set hive.server2.enable.doAs = true, then what you did on step 1, should be enough. If it is false and you are not using Storage Based authorization, then you will need to set permissions like in SQL with grant.

Online	Offline
Last Visited	‎12-18-2021 05:54 PM

Member Since	‎01-09-2019 05:01 PM
Last Visited	‎12-18-2021 05:54 PM
Posts	401
Kudos received	163

Cloudera Community

Re: 2 hosts not running master services

Re: ambari restart and service restart updating kr...

Re: How to automate sqoop incremental import using...

Re: Path to core-site.xml in sandbox?

Re: Curious to know why majority of the people are...

How to get subdomain groups for LDAPGroupsMapping

Re: the multiple languages supported including whi...

Re: Part-1 : Authorization on production cluster

Re: Part-1 : Authorization on production cluster

Re: Mount question

Re: Hadoop best practices for production cluster s...

Re: Ambari lockout on default authentication

Re: Automation of kinit process without login into...

Re: Hive CLI Snappy Error

Re: we are using hdp 2.1.5 and I have create user ...