hadoop-hdfs-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject Could we use the same identity store for user groups mapping in MIT Kerberos + OpenLDAP setup
Date Fri, 28 Jun 2013 23:29:23 GMT
Hi all,

I have a setup using MIT Kerberos with OpenLDAP as the user database. It's desired to use
the same user database that holds all the kinit principal accounts for the identity store
to be used for groups mapping provider via LdapGroupsMappingProvider. However, I found there're
3 issues:

1.       For Kerberos principal object, there're no appropriate attribute to determine the
short name. As you know Hadoop uses short name in ACL rules.

2.       We know how to add a principal for user account, but how to add a group so that it
allows to do ACL via group?

3.       Related to 2, no attribute for Kerberos principal object is found that can be used
to determine the user's groups.
I'm wondering if there's something wrong in my setup. Any extra LDAP schema could be applied
to allow all of these?
I think this case might not be supported but it makes sense in such setup to ease the deployment.
Of course AD can be used for such consideration, but we might face existing deployment that
uses MIT Kerberos and OpenLDAP.

Thanks for your help.


View raw message