@GangWar    This is still a problem in CDP 7.1.8 where there is no possibility of turning off the "Auto-TLS is Enabled" satus in Admin --> Security. Has anyone found the solution? I've now combed through UI settings, db and local files for anything to do with TLS and removed most if it.   I know its turned off but as long as CDP thinks that Auto-TLS is ON I can't run the Auto-TLS setup Wizzard. ... View more

@vidanimegh ,i have changed referral to follow but still users not sync to Ranger also not able to find any error in the usersync.log. Please find below config parameters and request you to pleases suggest if anything needs to be correct.    ldapUrl: ldaps://ad.HWX.COM:636, ldapBindDn: CN=user1,OU=bda,DC=HWX,DC=COM, ldapBindPassword: ***** , ldapAuthenticationMechanism: simple, searchBase: dc=hadoop,dc=apache,dc=org, userSearchBase: [OU=bda,DC=HWX,DC=COM], userSearchScope: 2, userObjectClass: user, userSearchFilter: ((memberof=OU=bda,DC=HWX,DC=COM)(memberof=CN=hdpadmin,OU=bda,DC=HWX,DC=COM)), extendedUserSearchFilter: (&(objectclass=user)((memberof=OU=bda,DC=HWX,DC=COM)(memberof=CN=hdpadmin,OU=bda,DC=HWX,DC=COM))), userNameAttribute: sAMAccountName, userSearchAttributes: [sAMAccountName], userGroupNameAttributeSet: null, pagedResultsEnabled: true, pagedResultsSize: 500, groupSearchEnabled: true, groupSearchBase: [DC=HWX,DC=COM], groupSearchScope: 2, groupObjectClass: group, groupSearchFilter: *, extendedGroupSearchFilter: (&(objectclass=group)(*)(|(member={0})(member={1}))), extendedAllGroupsSearchFilter: (&(objectclass=group)(*)), groupMemberAttributeName: member, groupNameAttribute: cn, groupSearchAttributes: [member, cn], groupUserMapSyncEnabled: false, groupSearchFirstEnabled: false, userSearchEnabled: false, ldapReferral: follow  ... View more

If you use the $ZK_HOST defined in infra-solr-env.sh you should not need to include the /infra-solr prefix when getting the solrconfig.xml: source /etc/ambari-infra-solr/conf/infra-solr-env.sh /usr/lib/ambari-infra-solr/server/scripts/cloud-scripts/zkcli.sh -z $ZK_HOST \ -cmd getfile /configs/ranger_audits/solrconfig.xml solrconfig.xml    The same applies when uploading the edited config. ... View more

@mqadri  Thank you for sharing very useful information. I tried configuring Hive LLAP daemons with YARN Node labelling  in HDP3 by following your post. But LLAP daemons not running on YARN node label, Instead LLAP daemons running on another nodes which are not part of Node label..(there was no errors in RM and HiveInteractive server) Is HDP3 has different Node label setup for LLAP daemons? Could you please guide me? Thanks in advance! ... View more

RULE:[1:$1@$0](^.*@AD\.HORTONWORKS\.COM$)s/^(.*)@AD\.HORTONWORKS\.COM$/$1/g I am not quiet sure if the brackets arountd (.*) are really necessary. ... View more

This is really a nice article. Kudos to you.  ... View more

@lvazquez maybe you can directly execute a "kinit" to submit your user's credentials to your LDAP I manage to authenticate users from AD while the cluster is kerberorized through a FreeIPA Server. This is a command sample: %sh echo "password" | kinit foo@hortonworks.local hdfs dfs -ls / Found 12 items drwxrwxrwt - yarn hadoop 0 2019-10-02 13:53 /app-logs drwxr-xr-x - hdfs hdfs 0 2019-10-01 15:27 /apps drwxr-xr-x - yarn hadoop 0 2019-10-01 14:06 /ats drwxr-xr-x - hdfs hdfs 0 2019-10-01 14:08 /atsv2 drwxr-xr-x - hdfs hdfs 0 2019-10-01 14:06 /hdp drwx------ - livy hdfs 0 2019-10-02 11:35 /livy2-recovery drwxr-xr-x - mapred hdfs 0 2019-10-01 14:06 /mapred drwxrwxrwx - mapred hadoop 0 2019-10-01 14:08 /mr-history drwxrwxrwx - spark hadoop 0 2019-10-02 15:08 /spark2-history drwxrwxrwx - hdfs hdfs 0 2019-10-01 15:31 /tmp drwxr-xr-x - hdfs hdfs 0 2019-10-02 14:23 /user drwxr-xr-x - hdfs hdfs 0 2019-10-01 15:14 /warehouse I think this way is really ugly but at least, it is possible. Do not forget to change in your hdfs-site file the auth_to_local RULE:[1:$1@$0](.*@HORTONWORKS.LOCAL)s/@.*// RULE:[1:$1@$0](.*@IPA.HORTONWORKS.LOCAL)s/@.*// ... View more

This is a useful article, but I would be better by explaining what the different main configurations do instead of listing interpretation of the best use case (as perceived by the creator) for each combination. By knowing what each of these few options do or how do they affect the behavior regarding the matching of users and groups from LDAP, I'm pretty sure most of us IT professionals will be able to find out in which case each combination is more appropriate for our use case. Indeed that is a recurrent problem with Ranger documentation in HDP and with many other aspects of security components, you usually will find out "subjective" interpretation of what combination of settings are best for this or that scenario, but the objective description of how each options behaves is much harder to find, and sometimes the only way to find out this is going to the source code. ... View more

I followed this with HDP 2.6.5 and the HBaseUI became accessible in the given URL but has many errors and links not working inside. I posted a question on how to fix this and then the answer resolving most of these issues here: https://community.hortonworks.com/questions/231948/how-to-fix-knox-hbase-ui.html You are welcome to test this and include these fixes in your article if you find it appropriate. Best regards ... View more

@Jay SenSharma Forgive me, I used the browser's debug tool and I found out by myself I was using the wrong URL (copy/paste error). I replaced "services" by "requests" as should be and Now it's working as you stated. Sorry and thank you. ... View more