hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject RE: Questions and possible improvements for LdapGroupsMapping
Date Fri, 19 Oct 2012 02:45:49 GMT
JIRA is opened for this:


-----Original Message-----
From: Zheng, Kai [mailto:kai.zheng@intel.com] 
Sent: Friday, October 19, 2012 10:17 AM
To: common-dev@hadoop.apache.org; natty@cloudera.com
Subject: RE: Questions and possible improvements for LdapGroupsMapping

Just got reply from user mailing list from Natty, as follows.
And I'd like to discuss further here since it's more appropriate.

Hi Natty,

1. It's great idea that we just write a customized group mapping service to handle different
mapping for AD user and service principal; 2. OK, I'd like to improve it to support multiple
ADs; 3. Great to know it. I will try the group mapping with OpenLDAP making use of the current
configuration properties.

And further, to support to do different mapping for different user/principal, and support
multiple ADs, we also need extra properties to configure what kind of user/principal (regarding
domain/realm is an option) should use which group mapping mechanism.

To improve such things, I'm going to fire a JIRA for these. It would be great if you could
continue to  comment on it. 

Thanks & regards,

From: Jonathan Natkins [mailto:natty@cloudera.com]
Sent: Friday, October 19, 2012 8:58 AM
To: user@hadoop.apache.org
Subject: Re: Secure hadoop and group permission on HDFS

Hi Kai,

1. To the best of my knowledge, you can only use one group mapping service at a time. In order
to do what you're suggesting, you'd have to write a customized group mapping service.

2. Currently multiple ADs are not supported, but it's certainly an improvement that could
be made.

3. The LdapGroupsMapping already supports OpenLDAP. It's pretty heavily configurable for the
purpose of supporting multiple types of LDAP implementations. The defaults just happen to
be geared towards Active Directory.


-----Original Message-----
From: Zheng, Kai [mailto:kai.zheng@intel.com]
Sent: Friday, October 19, 2012 8:32 AM
To: common-dev@hadoop.apache.org
Subject: Questions and possible improvements for LdapGroupsMapping

Hi All,

Regarding LdapGroupsMapping, I have following questions:

1.       Is it possible to use ShellBasedUnixGroupsMapping for Hadoop service principals/users,
and LdapGroupsMapping for end user accounts?
In our  environment, normal end users (along with their groups info) for Hadoop cluster are
from AD, and for them we prefer to use the ldap mapping; but for hdfs/mapred service principals,
the default shell based one is enough, and we don't want to create the user/group entries
in AD just for that.
Seems in current implementation, only one user group mapping provider can be configured.

2.       Can we support multiple ADs? Hadoop users might come from more than ONE AD in big

3.       Is there any technical  issue not to support LDAPs like OpenLDAP? In my understanding,
one possible difficulity might be that it's not easy to extract common
group lookup mechanism with common filters/configurations both applied for AD and OpenLDAP
like, right?

I'm wondering if these are just limits for current implementation, and if so if we need to
improve that. Might the community has already been going for that?

View raw message