Member since
01-18-2016
162
Posts
31
Kudos Received
19
Solutions
My Accepted Solutions
Title | Views | Posted |
---|---|---|
1350 | 04-06-2018 09:24 PM | |
1349 | 05-02-2017 10:43 PM | |
3729 | 01-24-2017 08:21 PM | |
22952 | 12-05-2016 10:35 PM | |
6194 | 11-30-2016 10:33 PM |
06-29-2017
08:33 PM
Hi @Michael Szymczak - any thoughts on this?
... View more
06-29-2017
08:31 PM
I am trying to configure LDAP authentication with Ambari and other components (e.g. Zeppelin, Ranger and Knox). This is a complex environment with Centrify where users have multiple identities which resolve to a single ID in Linux. On Linux, my id is "u1101". I can execute "id u1101" or "id james-jones" and both result in the same Linux ID -- e.g. uid=60012(u1101) gid=5001(user). On a Windows system, only james-jones works. There are two domains: company.com and corp.company.int. I want to configure LDAP authentication using the Linux ID rather than the windows sAMAccountName, but it only works with the sAMAccountName. I have configured the correct settings in Ambari for userObjectClass, baseDn, userAttributeName, primaryUrl, managerDn, etc. I don't know if the problem is with Centrify or an LDAP server hosting the Linux accounts. I decided to conduct a test, and it seems that using dn bind account is prohibited in one case but not the other. Since Ambari LDAP authentication essentially does two queries, one with the bind user to find the person logging in, and then a second query with the person's DN and the password they entered, I tested two ldapsearch queries. One with the Windows DN and the second using the Linux DN. Using ldapsearch, this query succeeds using my Windows domain DN ldapsearch -D "CN=1101737,OU=NY,OU=my_company,OU=CO_Users,DC=corp,DC=company,DC=int" -W \
-b "dc=corp,dc=company,dc=int" \
"sAMAccountName=james-jones"
This query fails on authentication using my UNIX domain DN ldapsearch -D "CN=james-jones@corp.company.int,CN=Users,CN=Global,CN=Zones,OU=Centrify,OU=Enterprise Systems,DC=corp,DC=company,DC=int" -W \
-b "DC=corp,DC=company,DC=int" \
"sAMAccountName=james-jones" There are two different LDIFs for these two ids (u1101 and james-jones): sAMAccountName=james-jones
objectClass=person
dn=CN=1101737,OU=NY,OU=my_company,OU=CO_Users,DC=corp,DC=company,DC=int
distinguishedName==CN=1101737,OU=NY,OU=my_company,OU=CO_Users,DC=corp,DC=company,DC=int The other looks like non-AD LDAP and I think openLdap may be behind it with some centrify magic going on. uid=u1101
objectClass=posixAccount
dn=CN=james-jones@corp.company.int,CN=Users,CN=Global,CN=Zones,OU=Centrify,OU=Enterprise Systems,DC=corp,DC=company,DC=int
distinguishedName=CN=james-jones@corp.company.int,CN=Users,CN=Global,CN=Zones,OU=Centrify,OU=Enterprise Systems,DC=corp,DC=company,DC=int The reason this matters is that when I use Ambari views, my account needs to match the Unix accounts. Hopefully that made sense. It's a bit long and complicated. Any help is very appreciated.
... View more
Labels:
- Labels:
-
Apache Ambari
05-30-2017
06:25 PM
1 Kudo
Well, I can't say about running Solr in YARN, but Solr can now be installed and managed by Ambari 2.5 and later. I don't think it was available in 2.4. Check out this link: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.0/bk_solr-search-installation/content/ch_hdp-search-install-ambari.html
... View more
05-26-2017
04:09 PM
1 Kudo
Ambari 2.5.0.3 complains about openblas-Rblas x86_64 0.2.19-4.el7 installed when installing HDP 2.6. This was in the checks done during service installation. What version of R is HDP happy with? If we remove openblasRblas, it will also remove R 3.3.3 and we want to replace it with the correct version.
... View more
Labels:
05-24-2017
02:36 AM
@Michael Szymczak - thanks for the reply and I'm sorry it's taken so long to get back to reply. We are a Centrify customer. I am wondering if it is possible to install HDP via Ambari if if accounts are pre-created in AD/Centrify (without any of them pre-existing or being added to /etc/password or /etc/shadow during installation). We would prefer to avoid any resemblance of a local account (or groups). This cluster will eventually be secured/kerberized which I have done numerous times with AD. However, I have always used some form of locally defined accounts and groups. The options Ambari offers (above) sounds like it will use accounts as long as it can get an the id and groups exist.
... View more
05-19-2017
02:39 PM
In Ambari 2.5.0.3 I noticed the following options under "Misc" when I want to specify an custom service account name:
Skip group modifications Have Ambari manage UIDs Whether to skip creating users and groups in a sysprepped cluster Previously I only remember seeing "Skip group modifications", but may be the UID option was there. The last option definitely seems new to me. Anyway, is there documentation or an HCC article explaining exactly what these do and when I would want them? I can take a guess based on the names, but it would be nice to have a clear understanding. Our present need is to have service accounts and groups pre-created in AD/Centrify and I assume not defined on the local OS at all. In this case it seems like checking all three options would be safe, but option 3 seems like it might imply options 1 and 2 are selected. I would like advice on how to proceed with my current scenario, but any additional insight into what these actually do is appreciated. Thanks. Incidentally, for those that care - you can set these three options above in blueprints. See my previous question: https://community.hortonworks.com/questions/103647/how-to-use-blueprints-with-pre-created-accounts-fo.html
... View more
Labels:
- Labels:
-
Apache Ambari
05-19-2017
02:06 PM
@Predrag Minovic Awesome! Thank you.
... View more
05-19-2017
03:28 AM
1 Kudo
Is there a way to use blueprints assuming we have pre-created service accounts (created in AD/Centrify), and if so, which I could use some help. I assume that in the blueprints I could add properties something like this: "spark_user" : "svcspark", "spark_group" : "svcspark" Part 1 of this question -- Will that cause Spark to run as svcspark? Also, related to this, I noticed there are now 3 options (checkboxes) in Ambari 2.5.0.3 which may relate to pre-created accounts. These are found under Misc when adding a service: Skip group modifications Have Ambari manage UIDs Whether to skip creating users and groups in a sysprepped cluster Part 2 of this question -- Can these be set in blueprints and if so, how? Our plan is to use blueprints but we need to create all service accounts in AD/Centrify before Ambari or services are installed. Thanks
... View more
Labels:
- Labels:
-
Apache Ambari
-
Hortonworks Cloudbreak
05-18-2017
10:25 PM
1 Kudo
@Michael Young Thanks! This is very well written. Straight forward, complete and I didn't find any mistakes or missing steps!
... View more
05-02-2017
10:43 PM
If you mean Solr on HDFS, the answer is "it depends." If you have a high number of frequent updates to your index, I usually recommend local storage. On the other hand, if your updates are more batch, and not a constant stream, then using HDFS is a convenient option. If you mean installing Solr on HDF, the only supported option and use case is installing Ambari Infra. The Ambari Infra component is Solr under the covers, but it is only supported for use with HDP and HDF components such as Ranger for User Audit records. There's no support to use Ambari Infra for indexing your own data.
... View more