hadoop-mapreduce-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Nauroth <cnaur...@hortonworks.com>
Subject Re: Kerberos Impersonation in Hadoop
Date Thu, 23 Jun 2016 20:15:26 GMT
Hello Aneela,

If your cluster has enabled Kerberos security, then the HADOOP_USER_NAME environment variable
has no effect.

It sounds like you want to test a proxy user scenario, in which authentication is performed
as user "hdfs" via Kerberos, but then execution of the request (including any group membership
resolution and authorization checks) proceeds as user "michael".  There is a different environment
variable named HADOOP_PROXY_USER that can be set to achieve this.

Does that help?

--Chris Nauroth

From: Aneela Saleem <aneela@platalytics.com<mailto:aneela@platalytics.com>>
Date: Thursday, June 23, 2016 at 12:45 PM
To: "user@hadoop.apache.org<mailto:user@hadoop.apache.org>" <user@hadoop.apache.org<mailto:user@hadoop.apache.org>>
Subject: Kerberos Impersonation in Hadoop

Hi all,

I'm trying Kerberos Impersonation in Hadoop. But i can't get the clear idea what the impersonation
is? Whether it's effective in doing HADOOP_USER_NAME from command line or it's something else.
It's confusing. I can't understand it from the documentation.

Actually what i'm trying to do is to simulate LDAP users on my system when accessing HDFS.
Since i'm using group mapping from LDAP that's working fine when i run 'hdfs groups' command.
I just want to authenticate whether the user i pass in HADOOP_USER_NAME from command line
when accessing HDFS, is actually impersonating an LDAP user or not? How can i verify it. Let's
have a look on following usecase:

-I have a service principal i.e., hdfs/platalytics.com@platalyticsrealm
-I initiate the authenticate request using this service principal and got TGT for this principal
-Now when i run the command with any proxy user whether it exists or not
-HADOOP_USER_NAME=michael hdfs dfs -mkdir /temp it allows to create the temp directory on
behalf of 'hdfs' ( michael is an LDAP user)

But when i initiate an authenticate request through user principal i.e., michael/platalytics.com@platalyticsrealm
and run the command hdfs dfs -mkdir /temp it says michael doestn't have enough permissions.

How the things are working i can't understand. How can i test LDAP users? I have not configured
PAM for ldap authentication, i want to test it without PAM.

I have enabled impersonation with following configuration parameters:

<property>
    <name>hadoop.proxyuser.hdfs.groups</name>
    <value>Admin,hdfs</value></property><property>
    <name>hadoop.proxyuser.hdfs.hosts</name>
    <value>platalytics.com<http://platalytics.com></value></property>

Thanks

Mime
View raw message