参考:https://hadoop-and-hdp.blogspot.com.au/2017/01/hdp-253knox-demo-ldapbeeline.html
http://docs.hortonworks.com/HDPDocuments/Ambari-2.4.2.0/bk_ambari-security/content/configuring_ambari_for_ldap_or_active_directory_authentication.html
[root@node1 ~]# ambari-server setup-ldap
Using python /usr/bin/python
Setting up LDAP properties...
Primary URL* {host:port} : node1.localdomain:33389
Secondary URL {host:port} :
Use SSL* [true/false] (false):
User object class* (posixAccount): person
User name attribute* (uid):
Group object class* (posixGroup): groupofnames
Group name attribute* (cn):
Group member attribute* (memberUid): member
Distinguished name attribute* (dn):
Base DN* : dc=hadoop,dc=apache,dc=org
Referral method [follow/ignore] : ignore
Bind anonymously* [true/false] (false):
Manager DN* : uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
Enter Manager Password* :
Re-enter password:
====================
Review Settings
====================
authentication.ldap.managerDn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
authentication.ldap.managerPassword: *****
Save settings [y/n] (y)?
Saving...done
Ambari Server 'setup-ldap' completed successfully.
[root@node1 ~]# ambari-server restart
[root@node1 ambari-server]# grep ldap /etc/ambari-server/conf/ambari.properties
ambari.ldap.isConfigured=true
authentication.ldap.baseDn=dc=hadoop,dc=apache,dc=org
authentication.ldap.bindAnonymously=false
authentication.ldap.dnAttribute=dn
authentication.ldap.groupMembershipAttr=member
authentication.ldap.groupNamingAttr=cn
authentication.ldap.groupObjectClass=groupofnames
authentication.ldap.managerDn=uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
authentication.ldap.pagination.enabled=false
authentication.ldap.primaryUrl=node1.localdomain:33389
authentication.ldap.referral=ignore
authentication.ldap.useSSL=false
authentication.ldap.userObjectClass=person
authentication.ldap.usernameAttribute=uid
client.security=ldap
/etc/ambari-server/conf/log4j.properties
#LDAP debug (そんなに有効ではない)
log4j.logger.org.apache.ambari.server.security=DEBUG
AmbariServerログに、下記のエラーが出たらBase DNを疑ってみる。
25 Apr 2017 07:23:15,290 FATAL [pool-16-thread-1] AbstractRequestControlDirContextProcessor:186 - No matching response control found for paged results - looking for 'class javax.naming.ldap.PagedResultsResponseControl
それでもだめなら、下記をambari.propertiesに追加してみる
authentication.ldap.pagination.enabled=false
補足1: 'admin'ユーザがかぶるので、パスワードがadmin-passwordになります。
再度、ローカルユーザ'admin'を作ると、Ambariが正しくユーザリストを表示しなくなります。(DBはユーザネームがユニークでないのに、Ambari側はユーニークなのを期待している模様)
そこで、Admin以外のユーザだけを追加する:
ambari-server sync-ldap --users <(grep -E '^uid' /etc/knox/conf/users.ldif | grep -vw admin | awk '{print $2}' | tr '\n' ',') --verbose
補足2:ユーザをデータベースを消すのはよくなさそうなので、APIで:
for u in `grep -E '^uid' /etc/knox/conf/users.ldif | grep -vw admin | awk '{print $2}'`; do curl -i -u admin:admin -H 'X-Requested-By: ambari' -X DELETE http://localhost:8080/api/v1/users/$u; done
http://docs.hortonworks.com/HDPDocuments/Ambari-2.4.2.0/bk_ambari-security/content/configuring_ambari_for_ldap_or_active_directory_authentication.html
[root@node1 ~]# ambari-server setup-ldap
Using python /usr/bin/python
Setting up LDAP properties...
Primary URL* {host:port} : node1.localdomain:33389
Secondary URL {host:port} :
Use SSL* [true/false] (false):
User object class* (posixAccount): person
User name attribute* (uid):
Group object class* (posixGroup): groupofnames
Group name attribute* (cn):
Group member attribute* (memberUid): member
Distinguished name attribute* (dn):
Base DN* : dc=hadoop,dc=apache,dc=org
Referral method [follow/ignore] : ignore
Bind anonymously* [true/false] (false):
Manager DN* : uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
Enter Manager Password* :
Re-enter password:
====================
Review Settings
====================
authentication.ldap.managerDn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
authentication.ldap.managerPassword: *****
Save settings [y/n] (y)?
Saving...done
Ambari Server 'setup-ldap' completed successfully.
[root@node1 ~]# ambari-server restart
[root@node1 ambari-server]# grep ldap /etc/ambari-server/conf/ambari.properties
ambari.ldap.isConfigured=true
authentication.ldap.baseDn=dc=hadoop,dc=apache,dc=org
authentication.ldap.bindAnonymously=false
authentication.ldap.dnAttribute=dn
authentication.ldap.groupMembershipAttr=member
authentication.ldap.groupNamingAttr=cn
authentication.ldap.groupObjectClass=groupofnames
authentication.ldap.managerDn=uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
authentication.ldap.managerPassword=/etc/ambari-server/conf/ldap-password.dat
authentication.ldap.pagination.enabled=false
authentication.ldap.primaryUrl=node1.localdomain:33389
authentication.ldap.referral=ignore
authentication.ldap.useSSL=false
authentication.ldap.userObjectClass=person
authentication.ldap.usernameAttribute=uid
client.security=ldap
/etc/ambari-server/conf/log4j.properties
#LDAP debug (そんなに有効ではない)
log4j.logger.org.apache.ambari.server.security=DEBUG
AmbariServerログに、下記のエラーが出たらBase DNを疑ってみる。
25 Apr 2017 07:23:15,290 FATAL [pool-16-thread-1] AbstractRequestControlDirContextProcessor:186 - No matching response control found for paged results - looking for 'class javax.naming.ldap.PagedResultsResponseControl
それでもだめなら、下記をambari.propertiesに追加してみる
authentication.ldap.pagination.enabled=false
補足1: 'admin'ユーザがかぶるので、パスワードがadmin-passwordになります。
再度、ローカルユーザ'admin'を作ると、Ambariが正しくユーザリストを表示しなくなります。(DBはユーザネームがユニークでないのに、Ambari側はユーニークなのを期待している模様)
そこで、Admin以外のユーザだけを追加する:
ambari-server sync-ldap --users <(grep -E '^uid' /etc/knox/conf/users.ldif | grep -vw admin | awk '{print $2}' | tr '\n' ',') --verbose
補足2:ユーザをデータベースを消すのはよくなさそうなので、APIで:
for u in `grep -E '^uid' /etc/knox/conf/users.ldif | grep -vw admin | awk '{print $2}'`; do curl -i -u admin:admin -H 'X-Requested-By: ambari' -X DELETE http://localhost:8080/api/v1/users/$u; done
