Return-Path: X-Original-To: apmail-hadoop-user-archive@minotaur.apache.org Delivered-To: apmail-hadoop-user-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9B4D51069B for ; Wed, 8 Jan 2014 08:25:28 +0000 (UTC) Received: (qmail 54016 invoked by uid 500); 8 Jan 2014 08:25:17 -0000 Delivered-To: apmail-hadoop-user-archive@hadoop.apache.org Received: (qmail 53683 invoked by uid 500); 8 Jan 2014 08:25:16 -0000 Mailing-List: contact user-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@hadoop.apache.org Delivered-To: mailing list user@hadoop.apache.org Received: (qmail 53676 invoked by uid 99); 8 Jan 2014 08:25:15 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 08 Jan 2014 08:25:15 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of bcwalrus@cloudera.com designates 209.85.215.50 as permitted sender) Received: from [209.85.215.50] (HELO mail-la0-f50.google.com) (209.85.215.50) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 08 Jan 2014 08:25:08 +0000 Received: by mail-la0-f50.google.com with SMTP id el20so879469lab.23 for ; Wed, 08 Jan 2014 00:24:48 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; bh=P+iDcrQ6yricUyuwvdgJ4V9q+Gip56BVB0N2FcHfw70=; b=diROtLHlv9K0GliGTkfXW/yRiEb5pkhbnSnk0hP7ezMho0ob5e20dySphSxEN29eRT yka9/6n++gdppIP2+Xl9qlb27xtfio/oCYmOI3MODkYqCEl8J5+FPO3UrUEXy37JHxLc sckZRdztzKIQAVlE6pMyVIJw/SNREo9K7OSYedvzWcMkw3MImLWI7+mxjJX/L76SSAqQ ywgjLotiADrXVLviQCNbrD5X3T617bkSYQ2QeQkbrdzDRTmeXbkPw+itjV8DWKR+R1/0 fMn5MDPH+Y6qteNn766/DiqCwy2g91NlLjXuNXFkIuFX1sE0p+fuD2lqXevcvvYlZDc8 F34g== X-Gm-Message-State: ALoCoQmgvJ/Ts60XjXLZThJiRmuZHKnqPi7R0PJi9pBwdaem5em4AbTT1l9m01PH2MP39oaXC+m9 X-Received: by 10.112.141.67 with SMTP id rm3mr5067030lbb.31.1389169488196; Wed, 08 Jan 2014 00:24:48 -0800 (PST) MIME-Version: 1.0 Received: by 10.114.187.239 with HTTP; Wed, 8 Jan 2014 00:24:28 -0800 (PST) In-Reply-To: References: From: bc Wong Date: Wed, 8 Jan 2014 00:24:28 -0800 Message-ID: Subject: Re: Ways to manage user accounts on hadoop cluster when using kerberos security To: user@hadoop.apache.org Content-Type: multipart/alternative; boundary=001a11c33e4ae09dbc04ef71392b X-Virus-Checked: Checked by ClamAV on apache.org --001a11c33e4ae09dbc04ef71392b Content-Type: text/plain; charset=UTF-8 LDAP/AD is pretty much it. You can also have Kerberos authenticate directly to AD, or set up one-way trust between AD and MIT Kerberos. There are other identity management systems that basically implement the same. At the end of the day, you need to have (1) users in KDC (2) users on the nodes, and (3) user-group mapping. And it makes sense for all three to come from the same system. Cheers, bc On Tue, Jan 7, 2014 at 2:55 PM, Manoj Samel wrote: > Hi, > > From the documentation + code, "when kerberos is enabled, all tasks are > run as the end user (e..g as user "joe" and not as hadoop user "mapred") > using the task-controller (which is setuid root and when it runs, it does a > setuid/setgid etc. to Joe and his groups ). For this to work, user "joe" > linux account has to be present on all nodes of the cluster." > > In a environment with large and dynamic user population; it is not > practical to add every end user to every node of the cluster (and drop user > when end user is deactivated etc.) > > What are other options get this working ? > > I am assuming that if the users are in a LDAP, can using the PAM for LDAP > solve the issue. > > Any other suggestions? > > -- > Thanks, > > Manoj > --001a11c33e4ae09dbc04ef71392b Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
LDAP/AD is pretty much it. You can also have Kerberos a= uthenticate directly to AD, or set up one-way trust between AD and MIT Kerb= eros. There are other identity management systems that basically implement = the same. At the end of the day, you need to have (1) users in KDC (2) user= s on the nodes, and (3) user-group mapping. And it makes sense for all thre= e to come from the same system.

Cheers,
bc


On Tu= e, Jan 7, 2014 at 2:55 PM, Manoj Samel <manoj.samel@gmail.com><= /span> wrote:
Hi,

From= the documentation + code, =C2=A0"when kerberos is enabled, all tasks = are run as the end user (e..g as user "joe" and not as hadoop use= r "mapred") using the task-controller (which is setuid root and w= hen it runs, it does a setuid/setgid etc. to Joe and his groups ). For this= to work, user "joe" linux account has to be present on all nodes= of the cluster."

In a environment with large and dynamic user population= ; it is not practical to add every end user to every node of the cluster (a= nd drop user when end user is deactivated etc.)

What are other options get this working ?=C2=A0

I = am assuming that if the users are in a LDAP, can using the PAM for LDAP sol= ve the issue.

Any other suggestions?

--
Thanks,

Manoj

--001a11c33e4ae09dbc04ef71392b--