Configuring LDAP Group Mappings
Each host that comprises a node in a Cloudera cluster runs an operating
system, such as CentOS or Oracle Linux. At the OS-level, there are
user:group
accounts created during installation that
map to the services running on that specific node of the cluster. The
default shell-based group mapping provider,
org.apache.hadoop.security.ShellBasedUnixGroupsMapping
,
handles the mapping from the local host system (the OS) to the specific
cluster service, such as HDFS. The hosts authenticate using these local OS
accounts before processes are allowed to run on the node.
For clusters integrated with Kerberos for authentication, the hosts must
also provide Kerberos tickets before processes can run on the node. The
cluster can use the organization's LDAP directory service to provide the
login credentials, including Kerberos tickets, to authenticate
transparently while the system runs. That means that the local
user:group
accounts on each host must be mapped to LDAP
accounts. To map local user:group
accounts to an LDAP
service:
- Use tools such as SSSD (Systems Security Services Daemon) or Centrify Server Suite (see Identity and Access management for Cloudera).
- The Hadoop
LdapGroupsMapping
group mapping mechanism. TheLdapGroupsMapping
library may not be as robust a solution needed for large organizations in terms of scalability and manageability, especially for organizations managing identity across multiple systems and not exclusively for Hadoop clusters. Support for theLdapGroupsMapping
library is not consistent across all operating systems. - Do not use Winbind to map Linux
user:group
accounts to Active Directory. It cannot scale, impedes cluster performance, and is not supported. - Use the same
user:group
mappings across all cluster nodes, for ease of management. - Use either Cloudera Manager or the command-line process detailed below.
The local user:group
accounts must be mapped to LDAP for
group mappings in Hadoop. You must create the users and groups for your
Hadoop services in LDAP.
To integrate the cluster with an LDAP service, the
user:group
relationships must be contained in the LDAP
directory. The admin must create the user accounts and define groups
for user:group
relationships on each host.
The user and group names listed in the table are the default
user:group
values for CDP services.
Cloudera Product or Component | User | Group |
---|---|---|
Cloudera Manager | cloudera-scm |
cloudera-scm |
Apache Accumulo | accumulo |
accumulo |
Apache Avro | (No default) | (No default) |
Apache HBase (Master, RegionServer processes) | hbase |
hbase |
Apache HCatalog | hive |
hive |
Apache Hive (HiveServer2, Hive Metastore) | hive |
hive |
Apache Kafka | kafka |
kafka |
Apache Oozie | oozie |
oozie |
Apache Spark | spark |
spark |
Apache Sqoop1 | sqoop |
sqoop |
Apache Whirr | (No default) | (No default) |
Apache ZooKeeper | zookeeper |
zookeeper |
Impala | impala |
impala, hive |
Cloudera Search | solr |
solr |
HDFS (NameNode, DataNodes) | hdfs |
hdfs, hadoop |
HttpFS | httpfs |
httpfs |
Hue | hue |
hue |
Hue Load Balancer (needs apache2 package) | apache |
apache |
Java KeyStore KMS | kms |
kms |
Key Trustee KMS | kms |
kms |
Key Trustee Server | keytrustee |
keytrustee |
Kudu | kudu |
kudu |
Llama | llama |
llama |
MapReduce (JobTracker, TaskTracker) | mapred |
mapred, hadoop |
Parquet | (No default) | (No default) |
YARN | yarn |
yarn, hadoop |
Using Cloudera Manager
Minimum Required Role: Configurator (also provided by Cluster Administrator, Limited Cluster Administrator , and Full Administrator)
- Open the Cloudera Manager Admin Console and go to the HDFS service.
- Click the Configuration tab.
- Select
- Select .
- Modify the following configuration properties using values from
the table below:
Configuration Property Value Hadoop User Group Mapping Implementation org.apache.hadoop.security.LdapGroupsMapping
Hadoop User Group Mapping LDAP URL ldap://<server>
Hadoop User Group Mapping LDAP Bind User Administrator@example.com
Hadoop User Group Mapping LDAP Bind User Password ***
Hadoop User Group Mapping Search Base dc=example,dc=com
Emitting the LDAP Bind password in core-site.xml for client configurations
If the CDP cluster has LDAP group to OS group mapping enabled, then applications running in Spark or Yarn would fail to authenticate to the LDAP server when trying to use the LDAP bind account during the LDAP group search. This is because the LDAP bind password was not passed to the /etc/hadoop/conf/core-site.xml file. This was intended behavior to prevent leaking the LDAP bind password in a clear text field.
Starting with Cloudera Manager 7.7.1 CHF 17 and Cloudera Manager 7.11.3 CHF 2, the cluster administrator can enable Cloudera Manager to pass the LDAP bind password to client applications in clear text through the /etc/hadoop/conf/core-site.xml file.
-
To do this, modify the Cloudera Manager server configuration file /etc/default/cloudera-scm-server by adding the flag
-Dcom.cloudera.cmf.service.config.emitLdapBindPasswordInClientConfig=true
to the variableCMF_JAVA_OPTS
flag such as:CMF_JAVA_OPTS="-Xmx4G -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp -Dcom.sun.management.jmxremote.ssl.enabled.protocols=TLSv1.2 -Dcom.cloudera.cmf.service.config.emitLdapBindPasswordInClientConfig=true"
- To have the setting take effect, restart the Cloudera Manager server by running the
following
command:
sudo systemctl restart cloudera-scm-server
- Then deploy client configuration files to have Cloudera Manager redistribute the Hadoop core-site.xml client configuration file. See Manually Redeploying Client Configuration Files.