hadoop-hdfs-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aneela Saleem <ane...@platalytics.com>
Subject Kerberos Impersonation in Hadoop
Date Thu, 23 Jun 2016 19:45:34 GMT
Hi all,

I'm trying Kerberos Impersonation in Hadoop. But i can't get the clear idea
what the impersonation is? Whether it's effective in doing HADOOP_USER_NAME
from command line or it's something else. It's confusing. I can't
understand it from the documentation.

Actually what i'm trying to do is to simulate LDAP users on my system when
accessing HDFS. Since i'm using group mapping from LDAP that's working fine
when i run *'hdfs groups' *command. I just want to authenticate whether the
user i pass in *HADOOP_USER_NAME* from command line when accessing HDFS, is
actually impersonating an LDAP user or not? How can i verify it. Let's have
a look on following usecase:

-I have a service principal i.e., hdfs/platalytics.com@platalyticsrealm
-I initiate the authenticate request using this service principal and got
TGT for this principal
-Now when i run the command with any proxy user whether it exists or not
*-HADOOP_USER_NAME=michael hdfs dfs -mkdir /temp *it allows to create the
temp directory on behalf of 'hdfs' ( michael is an LDAP user)

But when i initiate an authenticate request through user principal i.e.,
michael/platalytics.com@platalyticsrealm
and run the command *hdfs dfs -mkdir /temp *it says michael doestn't have
enough permissions.

How the things are working i can't understand. How can i test LDAP users? I
have not configured PAM for ldap authentication, i want to test it without
PAM.

I have enabled impersonation with following configuration parameters:

<property>
    <name>hadoop.proxyuser.hdfs.groups</name>
    <value>Admin,hdfs</value></property><property>
    <name>hadoop.proxyuser.hdfs.hosts</name>
    <value>platalytics.com</value></property>

Thanks

Mime
View raw message