hadoop-mapreduce-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject RE: Could we use the same identity store for user groups mapping in MIT Kerberos + OpenLDAP setup
Date Tue, 02 Jul 2013 03:34:44 GMT
Azuryy thanks for your info. I would take time to learn about whosso.

Any more comment or thought here? Thanks.

Regards,
Kai

From: Azuryy Yu [mailto:azuryyyu@gmail.com]
Sent: Saturday, June 29, 2013 8:37 AM
To: user@hadoop.apache.org
Subject: Re: Could we use the same identity store for user groups mapping in MIT Kerberos
+ OpenLDAP setup


you can try whosso, which is simple than kerbose.

--Send from my Sony mobile.
On Jun 29, 2013 7:29 AM, "Zheng, Kai" <kai.zheng@intel.com<mailto:kai.zheng@intel.com>>
wrote:
Hi all,

I have a setup using MIT Kerberos with OpenLDAP as the user database. It's desired to use
the same user database that holds all the kinit principal accounts for the identity store
to be used for groups mapping provider via LdapGroupsMappingProvider. However, I found there're
3 issues:

1.       For Kerberos principal object, there're no appropriate attribute to determine the
short name. As you know Hadoop uses short name in ACL rules.

2.       We know how to add a principal for user account, but how to add a group so that it
allows to do ACL via group?

3.       Related to 2, no attribute for Kerberos principal object is found that can be used
to determine the user's groups.
I'm wondering if there's something wrong in my setup. Any extra LDAP schema could be applied
to allow all of these?
I think this case might not be supported but it makes sense in such setup to ease the deployment.
Of course AD can be used for such consideration, but we might face existing deployment that
uses MIT Kerberos and OpenLDAP.

Thanks for your help.

Regarding,
Kai


Mime
View raw message