hadoop-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aneela Saleem <ane...@platalytics.com>
Subject Re: Kerberos Impersonation in Hadoop
Date Sun, 26 Jun 2016 18:15:26 GMT
Thanks Chris, It helped.

Sent from my iPhone

> On 24-Jun-2016, at 01:15, Chris Nauroth <cnauroth@hortonworks.com> wrote:
> Hello Aneela,
> If your cluster has enabled Kerberos security, then the HADOOP_USER_NAME environment
variable has no effect.
> It sounds like you want to test a proxy user scenario, in which authentication is performed
as user "hdfs" via Kerberos, but then execution of the request (including any group membership
resolution and authorization checks) proceeds as user "michael".  There is a different environment
variable named HADOOP_PROXY_USER that can be set to achieve this.
> Does that help?
> --Chris Nauroth
> From: Aneela Saleem <aneela@platalytics.com>
> Date: Thursday, June 23, 2016 at 12:45 PM
> To: "user@hadoop.apache.org" <user@hadoop.apache.org>
> Subject: Kerberos Impersonation in Hadoop
> Hi all,
> I'm trying Kerberos Impersonation in Hadoop. But i can't get the clear idea what the
impersonation is? Whether it's effective in doing HADOOP_USER_NAME from command line or it's
something else. It's confusing. I can't understand it from the documentation. 
> Actually what i'm trying to do is to simulate LDAP users on my system when accessing
HDFS. Since i'm using group mapping from LDAP that's working fine when i run 'hdfs groups'
command. I just want to authenticate whether the user i pass in HADOOP_USER_NAME from command
line when accessing HDFS, is actually impersonating an LDAP user or not? How can i verify
it. Let's have a look on following usecase:
> -I have a service principal i.e., hdfs/platalytics.com@platalyticsrealm
> -I initiate the authenticate request using this service principal and got TGT for this
> -Now when i run the command with any proxy user whether it exists or not
> -HADOOP_USER_NAME=michael hdfs dfs -mkdir /temp it allows to create the temp directory
on behalf of 'hdfs' ( michael is an LDAP user)
> But when i initiate an authenticate request through user principal i.e., michael/platalytics.com@platalyticsrealm
> and run the command hdfs dfs -mkdir /temp it says michael doestn't have enough permissions.
> How the things are working i can't understand. How can i test LDAP users? I have not
configured PAM for ldap authentication, i want to test it without PAM.
> I have enabled impersonation with following configuration parameters:
> <property>
>     <name>hadoop.proxyuser.hdfs.groups</name>
>     <value>Admin,hdfs</value></property><property>
>     <name>hadoop.proxyuser.hdfs.hosts</name>
>     <value>platalytics.com</value></property>
> Thanks

View raw message