hadoop-mapreduce-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benoy Antony <bant...@gmail.com>
Subject Re: Kerberos Impersonation in Hadoop
Date Sun, 26 Jun 2016 02:39:19 GMT
Hello Aneela,

You can refer to this page for instructions on hadoop impersonation :
http://hadoopsecurity.org/wiki/HowToImpersonate

thanks,
Benoy

On Thu, Jun 23, 2016 at 1:15 PM, Chris Nauroth <cnauroth@hortonworks.com>
wrote:

> Hello Aneela,
>
> If your cluster has enabled Kerberos security, then the HADOOP_USER_NAME
> environment variable has no effect.
>
> It sounds like you want to test a proxy user scenario, in which
> authentication is performed as user "hdfs" via Kerberos, but then execution
> of the request (including any group membership resolution and authorization
> checks) proceeds as user "michael".  There is a different environment
> variable named HADOOP_PROXY_USER that can be set to achieve this.
>
> Does that help?
>
> --Chris Nauroth
>
> From: Aneela Saleem <aneela@platalytics.com>
> Date: Thursday, June 23, 2016 at 12:45 PM
> To: "user@hadoop.apache.org" <user@hadoop.apache.org>
> Subject: Kerberos Impersonation in Hadoop
>
> Hi all,
>
> I'm trying Kerberos Impersonation in Hadoop. But i can't get the clear
> idea what the impersonation is? Whether it's effective in doing
> HADOOP_USER_NAME from command line or it's something else. It's confusing.
> I can't understand it from the documentation.
>
> Actually what i'm trying to do is to simulate LDAP users on my system when
> accessing HDFS. Since i'm using group mapping from LDAP that's working fine
> when i run *'hdfs groups' *command. I just want to authenticate whether
> the user i pass in *HADOOP_USER_NAME* from command line when accessing
> HDFS, is actually impersonating an LDAP user or not? How can i verify it.
> Let's have a look on following usecase:
>
> -I have a service principal i.e., hdfs/platalytics.com@platalyticsrealm
> -I initiate the authenticate request using this service principal and got
> TGT for this principal
> -Now when i run the command with any proxy user whether it exists or not
> *-HADOOP_USER_NAME=michael hdfs dfs -mkdir /temp *it allows to create the
> temp directory on behalf of 'hdfs' ( michael is an LDAP user)
>
> But when i initiate an authenticate request through user principal i.e.,
> michael/platalytics.com@platalyticsrealm
> and run the command *hdfs dfs -mkdir /temp *it says michael doestn't have
> enough permissions.
>
> How the things are working i can't understand. How can i test LDAP users?
> I have not configured PAM for ldap authentication, i want to test it
> without PAM.
>
> I have enabled impersonation with following configuration parameters:
>
> <property>
>     <name>hadoop.proxyuser.hdfs.groups</name>
>     <value>Admin,hdfs</value></property><property>
>     <name>hadoop.proxyuser.hdfs.hosts</name>
>     <value>platalytics.com</value></property>
>
> Thanks
>
>

Mime
View raw message