Set Up Hadoop Group Mapping for LDAP/AD
To ensure that LDAP/AD group level authorization is enforced in Hadoop, you should set up Hadoop group mapping for LDAP/AD.
You must have access to LDAP and the connection details. Note that LDAP settings can
vary depending on what LDAP implementation you are using
- Using SSSD (Recommended)
- Manually create users and groups in the Linux environment
- In core-site.xml
-
Using SSSD (Recommended)
The recommended method for group mapping is to use SSSD or one of the following services to connect the Linux OS with LDAP:
-
Centrify
-
NSLCD
-
Winbind
-
SAMBA
-
- Manually create users and groups in the Linux environment: Manually create users and groups (see link below) in your Linux environment.
-
In core-site.xml, configure Hadoop to use LDAP-based group mapping:
-
Add the properties shown in the example below to the
core-site.xml
file.You will need to provide the value for the bind user, the bind password, and other properties specific to you LDAP instance, and make sure that object class, user, and group filters match the values specified in your LDAP instance.<property> <name>hadoop.security.group.mapping</name> <value>org.apache.hadoop.security.LdapGroupsMapping</value> </property> <property> <name>hadoop.security.group.mapping.ldap.bind.user</name> <value>cn=Manager,dc=hadoop,dc=apache,dc=org</value> </property> <!– <property> <name>hadoop.security.group.mapping.ldap.bind.password.file</name> <value>/etc/hadoop/conf/ldap-conn-pass.txt</value> </property> –> <property> <name>hadoop.security.group.mapping.ldap.bind.password</name> <value>hadoop</value> </property> <property> <name>hadoop.security.group.mapping.ldap.url</name> <value>ldap://localhost:389/</value> </property> <property> <name>hadoop.security.group.mapping.ldap.base</name> <value></value> </property> <property> <name>hadoop.security.group.mapping.ldap.search.filter.user</name> <value>(&(|(objectclass=person)(objectclass=applicationProcess))(cn={0}))</value> </property> <property> <name>hadoop.security.group.mapping.ldap.search.filter.group</name> <value>(objectclass=groupOfNames)</value> </property> <property> <name>hadoop.security.group.mapping.ldap.search.attr.member</name> <value>member</value> </property> <property> <name>hadoop.security.group.mapping.ldap.search.attr.group.name</name> <value>cn</value> </property>
-
Depending on your configuration, you may be able to refresh user and group
mappings using the following HDFS and YARN commands:
hdfs dfsadmin -refreshUserToGroupsMappings yarn rmadmin -refreshUserToGroupsMappings
-
Verify LDAP group mapping by running the
hdfs groups
command. This command will fetch groups from LDAP for the current user. Note that with LDAP group mapping configured, the HDFS permissions can leverage groups defined in LDAP for access control.
-
Add the properties shown in the example below to the