Return-Path: X-Original-To: apmail-hadoop-common-user-archive@www.apache.org Delivered-To: apmail-hadoop-common-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CED14105F1 for ; Fri, 28 Jun 2013 23:29:56 +0000 (UTC) Received: (qmail 70459 invoked by uid 500); 28 Jun 2013 23:29:52 -0000 Delivered-To: apmail-hadoop-common-user-archive@hadoop.apache.org Received: (qmail 70319 invoked by uid 500); 28 Jun 2013 23:29:51 -0000 Mailing-List: contact user-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@hadoop.apache.org Delivered-To: mailing list user@hadoop.apache.org Received: (qmail 70311 invoked by uid 99); 28 Jun 2013 23:29:51 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 28 Jun 2013 23:29:51 +0000 X-ASF-Spam-Status: No, hits=-2.8 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_HI,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of kai.zheng@intel.com designates 192.55.52.88 as permitted sender) Received: from [192.55.52.88] (HELO mga01.intel.com) (192.55.52.88) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 28 Jun 2013 23:29:46 +0000 Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga101.fm.intel.com with ESMTP; 28 Jun 2013 16:29:24 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="4.87,962,1363158000"; d="scan'208,217";a="362301204" Received: from fmsmsx103.amr.corp.intel.com ([10.19.9.34]) by fmsmga002.fm.intel.com with ESMTP; 28 Jun 2013 16:29:25 -0700 Received: from shsmsx102.ccr.corp.intel.com (10.239.4.154) by FMSMSX103.amr.corp.intel.com (10.19.9.34) with Microsoft SMTP Server (TLS) id 14.3.123.3; Fri, 28 Jun 2013 16:29:25 -0700 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.184]) by SHSMSX102.ccr.corp.intel.com ([169.254.2.42]) with mapi id 14.03.0123.003; Sat, 29 Jun 2013 07:29:23 +0800 From: "Zheng, Kai" To: "user@hadoop.apache.org" Subject: Could we use the same identity store for user groups mapping in MIT Kerberos + OpenLDAP setup Thread-Topic: Could we use the same identity store for user groups mapping in MIT Kerberos + OpenLDAP setup Thread-Index: Ac50V1CJ/CMojip2SP+hc+4Adf4gsA== Date: Fri, 28 Jun 2013 23:29:23 +0000 Message-ID: <8D5F7E3237B3ED47B84CF187BB17B6661166692B@SHSMSX103.ccr.corp.intel.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] Content-Type: multipart/alternative; boundary="_000_8D5F7E3237B3ED47B84CF187BB17B6661166692BSHSMSX103ccrcor_" MIME-Version: 1.0 X-Virus-Checked: Checked by ClamAV on apache.org --_000_8D5F7E3237B3ED47B84CF187BB17B6661166692BSHSMSX103ccrcor_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi all, I have a setup using MIT Kerberos with OpenLDAP as the user database. It's = desired to use the same user database that holds all the kinit principal ac= counts for the identity store to be used for groups mapping provider via Ld= apGroupsMappingProvider. However, I found there're 3 issues: 1. For Kerberos principal object, there're no appropriate attribute t= o determine the short name. As you know Hadoop uses short name in ACL rules= . 2. We know how to add a principal for user account, but how to add a = group so that it allows to do ACL via group? 3. Related to 2, no attribute for Kerberos principal object is found = that can be used to determine the user's groups. I'm wondering if there's something wrong in my setup. Any extra LDAP schema= could be applied to allow all of these? I think this case might not be supported but it makes sense in such setup t= o ease the deployment. Of course AD can be used for such consideration, but= we might face existing deployment that uses MIT Kerberos and OpenLDAP. Thanks for your help. Regarding, Kai --_000_8D5F7E3237B3ED47B84CF187BB17B6661166692BSHSMSX103ccrcor_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi all,

 

I have a setup using MIT Kerberos with OpenLDAP as t= he user database. It’s desired to use the same user database that hol= ds all the kinit principal accounts for the identity store to be used for g= roups mapping provider via LdapGroupsMappingProvider. However, I found there’re 3 issues:

1= .   &= nbsp;   For Kerberos principal object, = there’re no appropriate attribute to determine the short name. As you= know Hadoop uses short name in ACL rules.

2= .   &= nbsp;   We know how to add a principal = for user account, but how to add a group so that it allows to do ACL via gr= oup?

3= .   &= nbsp;   Related to 2, no attribute for = Kerberos principal object is found that can be used to determine the user&#= 8217;s groups.

I’m wondering if there’s something wrong= in my setup. Any extra LDAP schema could be applied to allow all of these?=

I think this case might not be supported but it make= s sense in such setup to ease the deployment. Of course AD can be used for = such consideration, but we might face existing deployment that uses MIT Ker= beros and OpenLDAP.

 

Thanks for your help.

 

Regarding,

Kai

 

--_000_8D5F7E3237B3ED47B84CF187BB17B6661166692BSHSMSX103ccrcor_--