参考:https://docs.hortonworks.com/HDPDocuments/Ambari-2.6.0.0/bk_ambari-security/content/setting_up_hadoop_group_mappping_for_ldap_ad.html
1. 必要であれば、Ambariから/etc/knox/conf/users.ldifにユーザやグループを追加
Knox => Configs => Advanced users-ldif
2. Knox DEMO LDAPを開始
コマンドで開始したい場合は:
sudo -u knox -i /usr/hdp/current/knox-server/bin/ldap.sh start
または
sudo -u knox -i java -jar /usr/hdp/current/knox-server/bin/ldap.jar /usr/hdp/current/knox-server/conf &
確認:
yum install -y openldap-clients
ldapsearch -H 'ldap://sandbox-hdp.hortonworks.com:33389/' -x -D 'uid=admin,ou=people,dc=hadoop,dc=apache,dc=org' -w admin-password '(objectclass=person)' uid
ldapsearch -H 'ldap://sandbox-hdp.hortonworks.com:33389/' -x -D 'uid=admin,ou=people,dc=hadoop,dc=apache,dc=org' -w admin-password '(objectclass=groupOfNames)' member cn
ldapsearch -H 'ldap://sandbox-hdp.hortonworks.com:33389/' -x -D 'uid=admin,ou=people,dc=hadoop,dc=apache,dc=org' -w admin-password -b 'dc=hadoop,dc=apache,dc=org' '(&(objectclass=person)(uid=sam))'
3. Ambariから、下記のプロパティをHDFS => Configs => Custom core-site に追加
hadoop.security.group.mapping=org.apache.hadoop.security.LdapGroupsMapping
hadoop.security.group.mapping.ldap.bind.user=uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
hadoop.security.group.mapping.ldap.url=ldap://sandbox-hdp.hortonworks.com:33389/dc=hadoop,dc=apache,dc=org
#hadoop.security.group.mapping.ldap.base=
hadoop.security.group.mapping.ldap.search.filter.user=(&(objectclass=person)(uid={0}))
hadoop.security.group.mapping.ldap.search.filter.group=(objectclass=groupofnames)
hadoop.security.group.mapping.ldap.search.attr.member=member
hadoop.security.group.mapping.ldap.search.attr.group.name=cn
# PASSWORDタイプで
hadoop.security.group.mapping.ldap.bind.password=admin-password
コンポジットの場合:
hadoop.security.group.mapping=org.apache.hadoop.security.CompositeGroupsMapping
hadoop.security.group.mapping.providers=shell4services,ldap-demo4users
hadoop.security.group.mapping.provider.shell4services=org.apache.hadoop.security.ShellBasedUnixGroupsMapping
hadoop.security.group.mapping.provider.ldap-demo4users=org.apache.hadoop.security.LdapGroupsMapping
hadoop.security.group.mapping.provider.ldap-demo4users.ldap.url=ldap://sandbox-hdp.hortonworks.com:33389/dc=hadoop,dc=apache,dc=org
hadoop.security.group.mapping.provider.ldap-demo4users.ldap.bind.user=uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
#hadoop.security.group.mapping.provider.ldap-demo4users.ldap.base=
hadoop.security.group.mapping.provider.ldap-demo4users.ldap.search.filter.user=(&(objectclass=person)(uid={0}))
hadoop.security.group.mapping.provider.ldap-demo4users.ldap.search.filter.group=(objectclass=groupofnames)
hadoop.security.group.mapping.provider.ldap-demo4users.ldap.search.attr.member=member
hadoop.security.group.mapping.provider.ldap-demo4users.ldap.search.attr.group.name=cn
1. 必要であれば、Ambariから/etc/knox/conf/users.ldifにユーザやグループを追加
Knox => Configs => Advanced users-ldif
2. Knox DEMO LDAPを開始
コマンドで開始したい場合は:
sudo -u knox -i /usr/hdp/current/knox-server/bin/ldap.sh start
または
sudo -u knox -i java -jar /usr/hdp/current/knox-server/bin/ldap.jar /usr/hdp/current/knox-server/conf &
確認:
yum install -y openldap-clients
ldapsearch -H 'ldap://sandbox-hdp.hortonworks.com:33389/' -x -D 'uid=admin,ou=people,dc=hadoop,dc=apache,dc=org' -w admin-password '(objectclass=person)' uid
ldapsearch -H 'ldap://sandbox-hdp.hortonworks.com:33389/' -x -D 'uid=admin,ou=people,dc=hadoop,dc=apache,dc=org' -w admin-password '(objectclass=groupOfNames)' member cn
ldapsearch -H 'ldap://sandbox-hdp.hortonworks.com:33389/' -x -D 'uid=admin,ou=people,dc=hadoop,dc=apache,dc=org' -w admin-password -b 'dc=hadoop,dc=apache,dc=org' '(&(objectclass=person)(uid=sam))'
hadoop.security.group.mapping=org.apache.hadoop.security.LdapGroupsMapping
hadoop.security.group.mapping.ldap.bind.user=uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
hadoop.security.group.mapping.ldap.url=ldap://sandbox-hdp.hortonworks.com:33389/dc=hadoop,dc=apache,dc=org
#hadoop.security.group.mapping.ldap.base=
hadoop.security.group.mapping.ldap.search.filter.user=(&(objectclass=person)(uid={0}))
hadoop.security.group.mapping.ldap.search.filter.group=(objectclass=groupofnames)
hadoop.security.group.mapping.ldap.search.attr.member=member
hadoop.security.group.mapping.ldap.search.attr.group.name=cn
# PASSWORDタイプで
hadoop.security.group.mapping.ldap.bind.password=admin-password
コンポジットの場合:
hadoop.security.group.mapping=org.apache.hadoop.security.CompositeGroupsMapping
hadoop.security.group.mapping.providers=shell4services,ldap-demo4users
hadoop.security.group.mapping.provider.shell4services=org.apache.hadoop.security.ShellBasedUnixGroupsMapping
hadoop.security.group.mapping.provider.ldap-demo4users=org.apache.hadoop.security.LdapGroupsMapping
hadoop.security.group.mapping.provider.ldap-demo4users.ldap.url=ldap://sandbox-hdp.hortonworks.com:33389/dc=hadoop,dc=apache,dc=org
hadoop.security.group.mapping.provider.ldap-demo4users.ldap.bind.user=uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
#hadoop.security.group.mapping.provider.ldap-demo4users.ldap.base=
hadoop.security.group.mapping.provider.ldap-demo4users.ldap.search.filter.user=(&(objectclass=person)(uid={0}))
hadoop.security.group.mapping.provider.ldap-demo4users.ldap.search.filter.group=(objectclass=groupofnames)
hadoop.security.group.mapping.provider.ldap-demo4users.ldap.search.attr.member=member
hadoop.security.group.mapping.provider.ldap-demo4users.ldap.search.attr.group.name=cn
# PASSWORDタイプで
hadoop.security.group.mapping.provider.ldap-demo4users.ldap.bind.password=admin-password
hadoop.security.group.mapping.provider.ldap-demo4users.ldap.bind.password=admin-password
4. HDFS, YARN, MapReduce2を再起動
再起動するので下記のコマンドは必要ないはず
sudo -u hdfs -i hdfs dfsadmin -refreshUserToGroupsMappings
sudo -u yarn -i yarn rmadmin -refreshUserToGroupsMappings
5. 確認:うまく行っていたら、下記コマンドに何か出てくるはずです
sudo -u hdfs -i hdfs groups sam
0 件のコメント:
コメントを投稿