I found problems trying to validate the information in this article, and after doing my own research I have to say that it's inaccurate and in some aspects simply wrong. First of all it must be clear that the "ranger.ldap.*" set of parameters which should be configured under Ambari under "Ranger >> Config >> Advanced >> Ldap Settings" and "Advanced ranger-admin-site" are related only to Ranger Admin UI authentication and this has nothing to do with Ranger Usersync (different properties, different code, different daemon) which must be configured completely in the "Ranger >> Config >> Ranger User Info" section. This article mix the two set of LDAP related configurations for two different components in Ranger and this is confusing and not correct. All that I state here may be verified by looking at the source code of the following classes from the "ranger" and "spring-ldap" projects in GitHub: apache.ranger.security.handler.RangerAuthenticationProvider org.springframework.security.ldap.authentication.BindAuthenticator org.springframework.security.ldap.authentication.LdapAuthenticationProvider/AbstractLdapAuthenticationProvider Talking about "Ranger Admin LDAP authentication" the only two parameters you will need are the following: ranger.ldap.url = http://ldap-host:389 ranger.ldap.user.dnpattern = uid={0},ou=users,dc=example,dc=com<br> This is because the RangerAuthenticationProvider class first uses the method "getLdapAuthentication()" which in place will use the Spring's BindAuthenticator class with default parameters except from the previous properties. This will try to do a BIND as the DN obtained from "ldapDNPattern" replacing "{0}" with the username, and if this succeeds, the authentication will be granted to the user and nothing else is used!! The only case were the remaining "ranger.ldap.*" parameters are used is when "getLdapAuthentication()" fails, for example by setting the wrong value for "ldap.user.dnpattern" as in the example above, where the LDAP manager's DN will be used to do the Bind with the username's provided password. When the call to "getLdapAuthentication()" fails, Ranger will next try a call to the more specialized method "getLdapBindAuthentication()" and is this method that will use all the other "ranger.ldap.{bind|user|group}.*" properties! This time BindAuthenticator will be configured to bind with the provided "ranger.ldap.bind.dn/password" and will search for the user entry and their groups with the other properties, etc ... But even in this case there is another IMPORTANT error in the article above: the pattern in "ranger.ldap.group.searchfilter" is wrong, because this is handled by the class DefaultLdapAuthoritiesPopulator and this will replace the '{0}' with the DistinguishedName (DN) of the user (NOT the username) and instead ist the '{1}' that will be replaced with the username. So, if you want to use the configuration above, you should replace {0} with {1} or even better just use "member={0}' as your group searchfilter. Regarding the "authorization" phase, in both the previous methods, if the authorization succeeds, then the group/role authorities for the user will be searched from LDAP (using Spring's DefaultLdapAuthoritiesPopulator class), but ONLY if both rangerLdapGroupSearchBase AND rangerLdapGroupSearchFilter are defined and not empty. But even in this case (I have still not tested this, but looking at the code It seems clear) I'm almost sure that the list of "grantedAuths" obtained from LDAP are never used by Ranger because at the end of both "getLDAP*Authentication()" methods the grantedAuths list is overwritten using the chain of calls to the following methods: authentication = getAuthenticationWithGrantedAuthority(authentication) >> List<GrantedAuthority> grantedAuths = getAuthorities(authentition.getName()); // pass username only >>>> roleList = (org.apache.ranger.biz.UserMgr)userMgr.getRolesByLoginId(username); //overwrite from Ranger DB I don't know if this is the desired behavior or it's a bug in the current RangerAuthenticationProvider that will be changed in the future (otherwise is not clear why to use the LdapAuthoritiesPopulator upstream), but it's the way it seems to be done right now. In conclusion, for Ranger Admin authentication, IF you just provides the right value for the "ranger.ldap.url" and "ranger.ldap.user.dnpattern" property, none of the remaining "ranger.ldap.group.*" parameters will be used and the user roles will be managed by Ranger from the "Admin UI -> Users" interface. ... View more

Also check this: https://www.hortonworks.com/blog/hdfs-acls-fine-grained-permissions-hdfs-files-hadoop/ ... View more

Nice work Greg, a wonderful, clear and very detailed article! Based on this and other articles of yours in this forum, it seems clear that the people of Hortonworks should seriously consider giving you a greater participation in the elaboration and supervision of the (currently outdated, fuzzy, inexact and overall low qualilty) material presented in their expensive official courses. The difference in quality between his work and the work published there is so great that it is sometimes rude. All my respects Mr!! ... View more

This article is really very useful but has a silly but confusing (specially for HDP newbies) error where all occurrences of "Ranger user id" and "Ranger Admin Server" must be replaced by "Atlas User ID" and "Atlas Admin Server" respectively. ... View more

At least for version 2.6.3 and above the section "Running import script on kerberized cluster" is wrong. You don't need to provide any of the options (properties) indicated (except maybe the debug one If you want to have debug output) because they are automatically detected and included in the script. Also at least in 2.6.5 a direct execution of the script in a Kerberized cluster will fail because of the CLASSPATH generated into the script. I had to edit this replacing many single JAR files by a glob inside their parent folder in order for the command to run without error. If you have this problem see answer o "Atlas can't see Hive tables" question. ... View more

I'm running HDP 2.6.5 and I have experienced (and SOLVED) a problem that may be related with this and in any case may be of help for someone else with similar problems importing entities from Hive. My cluster is Kerberized and when I run the import-hive.sh script as described in https://community.hortonworks.com/articles/61274/import-hive-metadata-into-atlas.html I get the following error: $ /usr/hdp/2.6.5.0-292/atlas/hook-bin/import-hive.sh -Dsun.security.jgss.debug=true -Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/atlas/conf/atlas_jaas.conf Using Hive configuration directory [/etc/hive/conf]Log file for import is /usr/hdp/2.6.5.0-292/atlas/logs/import-hive.log Usage 1: import-hive.sh [-d <database> OR --database <database>] Imports specified database and its tables ... ... Failed to import Hive Meta Data!! To see what is happening I edited the import-hive.sh script and added an echo before the executed command: echo "${JAVA_BIN}" ${JAVA_PROPERTIES} -cp "${CP}" org.apache.atlas.hive.bridge.HiveMetaStoreBridge $allargs The executed JAVA command is shown to be something like this: $ /usr/java/jdk1.8.0_152/bin/java -Datlas.log.dir=/usr/hdp/2.6.5.0-292/atlas/logs -Datlas.log.file=import-hive.log -Dlog4j.configuration=atlas-hive-import-log4j.xml \ -Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/atlas/conf/atlas_jaas.conf \ -cp ":<VERY-LONG-LIST-OF-JARS>:/usr/hdp/2.6.5.0-292/tez/lib/*:/usr/hdp/2.6.5.0-292/tez/conf" \ org.apache.atlas.hive.bridge.HiveMetaStoreBridge \ -Dsun.security.jgss.debug=true -Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/atlas/conf/atlas_jaas.conf From this I found out two things: The property definition options indicated in the article for the case of a Kerberized cluster ARE NOT NECESSARY because they are automatically detected included by the script from the HDP environment. You may see they are duplicated at the end of the command MOST IMPORTANT: the class path is malformed because it repeats many JARs and include every single JAR file in many HADOOP lib folders (including all the jars into hive-client/lib) instead of using a glob ("/lib/*") for this. This seems to hit some parameter length limit on Bash (or Java) and seems to be the reason for the command to fail!! By editing the CLASSPATH and replacing near one-hundred listed JAR files by their single parent folders with a glob. I was able to drastically reduce the lenght of the executed command and was able run this without errors as shown bellow: $ /usr/java/jdk1.8.0_152/bin/java -Datlas.log.dir=/usr/hdp/current/atlas-server/logs -Datlas.log.file=import-hive.log -Dlog4j.configuration=atlas-hive-import-log4j.xml \ -Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/atlas/conf/atlas_jaas.conf \ -cp ':/usr/hdp/current/atlas-server/hook/hive/atlas-hive-plugin-impl/*:/usr/hdp/current/hive-client/conf:/usr/hdp/current/hive-client/lib/*:mysql-connector-java.jar:postgresql-jdbc3.jar:postgresql-jdbc.jar:/usr/hdp/2.6.5.0-292/hadoop/conf:/usr/hdp/2.6.5.0-292/hadoop/lib/*:/usr/hdp/2.6.5.0-292/hadoop/*:/usr/hdp/2.6.5.0-292/hadoop-hdfs/:/usr/hdp/2.6.5.0-292/hadoop-hdfs/lib/*:/usr/hdp/2.6.5.0-292/hadoop-hdfs/*:/usr/hdp/2.6.5.0-292/hadoop-yarn/lib/*:/usr/hdp/2.6.5.0-292/hadoop-yarn/*:/usr/hdp/2.6.5.0-292/hadoop-mapreduce/lib/*:/usr/hdp/2.6.5.0-292/hadoop-mapreduce/*:/usr/hdp/2.6.5.0-292/tez/*:/usr/hdp/2.6.5.0-292/tez/lib/*:/usr/hdp/2.6.5.0-292/tez/conf' \ org.apache.atlas.hive.bridge.HiveMetaStoreBridge Search Subject for Kerberos V5 INIT cred (<<DEF>>, sun.security.jgss.krb5.Krb5InitCredential) Search Subject for SPNEGO INIT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement) Search Subject for Kerberos V5 INIT cred (<<DEF>>, sun.security.jgss.krb5.Krb5InitCredential) $ After this all the entities from Hive are imported into Atlas. I hope this will be of help to someone else and somebody in Hortonworks would fix the script and related documentation. ... View more

In a cluster managed by Ambari, the Atlas admin password for the File Authentication mode must be changed from inside Ambari Server or it will be rewritten after a service restart. This value may be found in section Configs-> Advanced -> Advanced atlas-env -> Admin password as shown in the image bellow ... View more

The response from @Vadim Vaks doen't address the original question and is misleading. on one side @Wendell Bu is not asking about the supported authentication methods on Atlas; but HE says clearly he wants to use LDAP authentication and asks about the Apache Atlas support for SSL/TLS when using LDAP authentication. on the other side -- if the question where about available user authentication methods in Apache Atlas -- the answer is wrong because the available user authentication methods are "File", "LDAP" and "Kerberos". These methods are configured with the three corresponding properties: atlas.authentication.method.file = true/false , atlas.authentication.method.ldap<code> = true/false , atlas.authentication.method.kerberos<code> = true/false and their corresponding subtree's properties. The mentioned values "simple|kerberos" are for the "Service Authentication Method" which is related to the identity used by the Atlas service to run and to interact with other cluster services. This is a reasonable confusion because the properties for this configuration have names which are very similar to the previous ones atlas.authentication.[method/keytab/principal] , but this has little to do with the question. For more details see the following links: http://atlas.apache.org/0.8.1/Authentication-Authorization.html http://atlas.apache.org/Security.html Regarding to the real question, this article seems to be the answer: https://community.hortonworks.com/articles/148958/steps-to-setup-atlas-with-ldaps-ssl.html It's not mentioned in the article but you will have also to chante your LDAP URL: atlas.authentication.method.ldap.url = ldaps://authserv.ict4v.org:636 because it seems Apache Atlas (like most of the Hadoop components) don't fully support TLS yet, but only old LDAP over SSL (LDAPS). ... View more

This article is very illustrative but as most of the references in this topic doesn't addresses the problem of Linux users authentication against AD with the previous hosts and kerberos client configurations. For SSSD to work with AD you will have to setup your host's default krb5.keytabs to point to the AD principals (obtained when joining the host to the AD domain) and this is conflicting with the configuration described in the article where the host is supposed to be associated to the MIT KDC realm and default domain. How do we resolve this conflict? ... View more

This will not work in a kerberized cluster (at least with SSSD using LDAP + MIT Kerberos) because the user impersonation in Zeppelin is implemented by doing a "sudo su - <user>" to the requested user. In this case the whoami above will work ok, but If you try to execute any command involving the Hadoop cluster, for example "hdfs dfs", it will fail because your user doen't have the required Kerberos ticket obtained with "kinit". The "kinit" is done automatically when you login in the console or by using ssh and providing the use's password (the Linux host will contact Kerberos server and get the ticket). But when using "su" from root or "sudo su" from a user in the sudoers, you are not providing the user's password and for this reason you have to execute kinit an provide the user's password manually to get the Kerberos ticket. This is not posible with Zeppelin because it doesn't provides an interactive console. ... View more

We don't know anything about the type of access you are going to have to your cluster and the security concerts related with this; but as a general recommendation I think it would be better to have the management and edge nodes (green) in an external DMZ LAN, separated from the HDP/Hadoop internal network (masters+workers). You should also co-locate any KDC/AD and/or database server used with the HDP cluster into this internal network. ... View more

After some tests and reading the official Hive documentation I'm answering this by myself. Both sources are incomplete and confuse and I guess it's because they mix the required configuration for Hive 0.13.x and for Hive after 0.14 (what is used in HDP 2.5.x and above). After changing authorization to SQLStdAuth and setting "Run as end user instead of Hive user" (hive.server2.enable.doAs) to false you have to In Custom hive-site: add the user you want to use as Hive administrator, for example admin to the default list o users with admin role: hive.users.in.admin.role = hive,hue,admin In hive-site.xml, corresponding to the General and Advanced hive-site sections on Ambari: check you have the following settings: # General section: hive.security.authorization.enabled=true hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdConfOnlyAuthorizerFactory # Need to add the second class to the comma separated list hive.security.metastore.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider,org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly # Advanced hive-site section: hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.ProxyUserAuthenticator In hiveserver2-site.xml corresponding to Advanced hiveserver2-site in Ambari: hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator hive.security.authorization.enabled=true hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory Note the class used as "authorization.manager" in hive-site and in hiveserve2-site have similar names but are different, the first one is "SQLStdConfOnlyAuthorizerFactory" and the second "SQLStdHiveAuthorizerFactory". Ambari will guide you with some of these settings once you select SQLStdAuth authorization, but this is the complete picture of what is needed. For further reference check: https://cwiki.apache.org/confluence/display/Hive/SQL+Standard+Based+Hive+Authorization ... View more

I also want to complement with the information that in the "Data Access" manual they refer to hive-site but in the HW support article they talk about settings in hiveserver2-site . For what I was able to find out, the first file (hive-site in Ambari) corresponds to /etc/hive/conf/hive-site.xml and the second (hiveserver2-site in Ambari) corresponds to /etc/hive/conf/conf.server/hiveserver2-site.xml and many of the authorization/authentication parameters are repeated but with different values. There is also another file named "hive-site.xml" file inside the "conf.server" folder but, it seems to have almost the same content that the one in /etc/hive/conf except for a couple of credential store parameters. What a mess is this hive configuration! ... View more

This is a useful article, but I would be better by explaining what the different main configurations do instead of listing interpretation of the best use case (as perceived by the creator) for each combination. By knowing what each of these few options do or how do they affect the behavior regarding the matching of users and groups from LDAP, I'm pretty sure most of us IT professionals will be able to find out in which case each combination is more appropriate for our use case. Indeed that is a recurrent problem with Ranger documentation in HDP and with many other aspects of security components, you usually will find out "subjective" interpretation of what combination of settings are best for this or that scenario, but the objective description of how each options behaves is much harder to find, and sometimes the only way to find out this is going to the source code. ... View more

The configuration for Kafka with SSL is as follows (ports are the usual ones and "localhost" is not needed): listeners = SSL://:9093,SASL_SSL://:9094 SASL_xxxx means using Kerberos SASL with plaintext or ssl (depending on xxxx) So if you are using the configuration above your Kafka Broker is not using SSL and your clients don't need (or can) use SSL. If you want to enable SSL you will also need to add the following parameters to your Custom kafka-broker section: ssl.keystore.location = /etc/security/serverKeys/keystore.jks ssl.keystore.password = **keysecret** ssl.key.password = **keysecret** ssl.truststore.location = /etc/security/serverKeys/truststore.jks ssl.truststore.password = changeit ssl.enabled.protocols = TLSv1.2,TLSv1.1,TLSv1 sasl.kerberos.service.name=kafka and use the corresponding configuration (except from keystore not needed on clients) for your producer and consumer clients. If you need data protection, it is also recommended to use SSL in the inter-broker communication, so you should set this too: security.inter.broker.protocol = SASL_SSL (or SSL) ... View more

Just in case this may save time to other people. The configuration included with HDP 2.5.x and Ambari 2.5 is not compatible with using Ranger Tagsync with SSL, so there is no "Advanced ranger-tagsync-policymgr-ssl" section or anything like that on Ranger (0.6.0) configuration from Ambari. The first response above refers to the parameters included in the file ranger-tagsync-policymgr-ssl.xml included with Ambari 2.6 (y believe in HDP 2.6.x). This in included in the patch discussed in the following URL: https://issues.apache.org/jira/browse/AMBARI-18874 There is an Ambari patch for HDP 2.5 but I was not able to make it work with Ambari 2.5 and Ranger 0.6.0 (included with HDP 2.5.6) so the way to make it work was to change include the file /etc/ranger/tagsync/conf/ranger-tagsync-policymgr-ssl.xml from the patch above edited by hand and in the section "Advanced ranger-tagsync-site" modify the parameter ranger.tagsync.dest.ranger.ssl.config.filename which incredibly (and shamefully) points to a keystore!!! in the default HDP 2.5 configuration to point to this file like this: ranger.tagsync.dest.ranger.ssl.config.filename=/etc/ranger/tagsync/conf/ranger-tagsync-policymgr-ssl.xml After this you will also need to change the credentials store file at rangertagsync.jceks to include the keys ssltruststore and sslkeystore with the correct values. There are other articles on how to do this. Hopefully in HDP 2.6 things are going to be easier 😞 ... View more

Finally after writing out the problem to post the question I was able to find the problem for myself and I will describe it in case it may happen to someone else. The problem was there are a couple of extra properties not documented here: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.6/bk_security/content/configure_ambari_ranger_ssl_public_ca_certs_admin.html used to define the truststore to be used for the Ranger Admin service when connecting to other services. These are located at the of section "Advanced ranger-admin-site" as show here and should be changed to point to your system truststore (including the CA certificate used to sign the Hadoop Services certificates). Ranger -> Advanced ranger-admin-site So in order to make HTTPS and SSL work for Ranger Admin and Ranger Plugins in both directions you have to set correctly all the following fields pointing to the proper keystore (including private key) o truststore (including signing CA or certificate of the service you are going to connect): In Ranger -> Advanced ranger-admin-site ranger.https.attrib.keystore.file = /etc/security/serverKeys/keystore.jks ranger.service.https.attrib.keystore.pass = ****** ... Other ranger.service.https.* releated properties // Not documented in Security manual ranger.truststore.file = /etc/security/serverKeys/truststore.jks ranger.truststore.password = ******* In Ranger -> Advanced ranger-admin-site (this seems to be the same property above, so I suspect these are probably from different software version and only one is necessary but both are mentioned in the documentation so who knows?) ranger.service.https.attrib.keystore.file = /etc/security/serverKeys/keystore.jks In Service (HDFS/YARn) -> Advanced ranger-hdfs-policymgr-ssl (also set properties in Advanced ranger-hdfs-plugin-properties to match the certificate common name) // Keystore with the client certificate cn=hadoopclient,... xasecure.policymgr.clientssl.keystore = /etc/security/clientKeys/hadoopclient.jks ... xasecure.policymgr.clientssl.truststore = /etc/security/clientKeys/truststore.jks ... ... View more