Configuring LDAP Group Mappings

When configuring LDAP for group mappings in Hadoop, you must create the users and groups for your Hadoop services in LDAP. When using the default shell-based group mapping provider (org.apache.hadoop.security.ShellBasedUnixGroupsMapping), the requisite user and group relationships already exist because they are created during the installation procedure. When you switch to LDAP as the group mapping provider, you must re-create these relationships within LDAP.

The table below lists users and their group members for CDH services:

Users & Groups
Service	Unix User ID	Group
Flume	`flume`	`flume`
HBase	`hbase`	`hbase`
HDFS	`hdfs`	`hdfs`, `hadoop`
Hive	`hive`	`hive`
HCatalog	`hive`	`hive`
HttpFS	`httpfs`	`httpfs`
Hue	`hue`	`hue`
Cloudera Impala	`impala`	`impala`, `hdfs`, `hive`
Llama	`llama`	`llama`
MapReduce	`mapred`	`mapred`, `hadoop`
Oozie	`oozie`	`oozie`
Cloudera Search	`solr`	`solr`
Spark	`spark`	`spark`
Sentry	`sentry`	`sentry`
Sqoop	`sqoop`	`sqoop`
Sqoop2	`sqoop2`	`sqoop`, `sqoop2`
YARN	`yarn`	`yarn`, `hadoop`
ZooKeeper	`zookeeper`	`zookeeper`

Using Cloudera Manager

Minimum Required Role: Configurator (also provided by Cluster Administrator, Full Administrator)

Make the following changes to the HDFS service's security configuration:

Open the Cloudera Manager Admin Console and navigate to the HDFS service.
Click the Configuration tab.

Modify the following configuration properties under the Service-Wide > Security section. The table below lists the properties and the value to be set for each property.

Configuration Property	Value
Hadoop User Group Mapping Implementation	`org.apache.hadoop.security.LdapGroupsMapping`
Hadoop User Group Mapping LDAP URL	`ldap://<server>`
Hadoop User Group Mapping LDAP Bind User	`Administrator@example.com`
Hadoop User Group Mapping LDAP Bind User Password	`***`
Hadoop User Group Mapping Search Base	`dc=example,dc=com`

Although the above changes are sufficient to configure group mappings for Active Directory, some changes to the remaining default configurations might be required for OpenLDAP.

Using the Command Line

Add the following properties to the core-site.xml on the NameNode:

<property>    
<name>hadoop.security.group.mapping</name>
<value>org.apache.hadoop.security.LdapGroupsMapping</value>  
</property>  

<property>
<name>hadoop.security.group.mapping.ldap.url</name>
<value>ldap://server</value>  
</property>  

<property>
<name>hadoop.security.group.mapping.ldap.bind.user</name>
<value>Administrator@example.com</value>
</property>  

<property>
<name>hadoop.security.group.mapping.ldap.bind.password</name>    
<value>****</value>
</property>  

<property>
<name>hadoop.security.group.mapping.ldap.base</name>
<value>dc=example,dc=com</value>  
</property>  

<property>
<name>hadoop.security.group.mapping.ldap.search.filter.user</name>
<value>(&amp;(objectClass=user)(sAMAccountName={0}))</value>  
</property>  

<property>
<name>hadoop.security.group.mapping.ldap.search.filter.group</name>  
<value>(objectClass=group)</value>  
</property>  

<property>
<name>hadoop.security.group.mapping.ldap.search.attr.member</name>    
<value>member</value>
</property>  

<property>
<name>hadoop.security.group.mapping.ldap.search.attr.group.name</name>    
<value>cn</value>
</property>

Integrating Hadoop Security with Alternate Authentication

Hadoop Users in Cloudera Manager and CDH