Home | About | Sematext search-lucene.com search-hadoop.com
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB
 Search Hadoop and all its subprojects:

Switch to Threaded View
HDFS >> mail # user >> Re: multiusers in hadoop through LDAP


Copy link to this message
-
Re: multiusers in hadoop through LDAP
So, not knowing much about LDAP, but being very interested in the multiuser
problem on multiuser filesystems, i was excited to see this question.... Im
researching the same thing at the moment, and it seems obviated by the fact
that :

- the FileSystem API itslef provides implementations for getting group and
user names / permissions....

And furthermore

- the linux task controllers launch jobs as the user submitting the job,
whereas the regular task controllers launch tasksunder the YARN daemon
name, iirc.

So.... where does LDAP begin and TaskController / FileSystem notions of
ownership end.... ?

I guess I'm also asking what are the entites which are "ownable" in hadoop
app , and how we can leverage the GroupMappingServiceProviders to deploy
more flexible hadoop environments.

Any thoughts on this would be appreciated.

On Tue, Dec 10, 2013 at 6:38 PM, Adam Kawa <[EMAIL PROTECTED]> wrote:

> Please have a look at hadoop.security.group.mapping.ldap.* settings as Hardik
> Pandya suggests.
>
> ====>
> In advance, just to share our story related to LDAP +
> hadoop.security.group.mapping.ldap.*, if you run into the same limitation
> as we did:
>
> In many cases hadoop.security.group.mapping.ldap.* should solve your
> problem. Unfortunately, they did now work for us. The problematic setting
> relates to an additional filter to use when searching for LDAP groups. We
> wanted to use posixGroups filter, but it is currently not supported by
> Hadoop. Finally, we found a workaround using name service switch
> configuration where we specified that the LDAP should the primary source of
> information about groups of our users. This means that we solved this
> problem on the operating system level, not on Hadoop level.
>
> You can read more about this issue here:
>
> http://hakunamapdata.com/a-user-having-surprising-troubles-running-more-resource-intensive-hive-queries/
> and here
> http://www.slideshare.net/AdamKawa/hadoop-adventures-at-spotify-strata-conference-hadoop-world-2013 (slides
> 18-26).
>
>
> 2013/12/10 Hardik Pandya <[EMAIL PROTECTED]>
>
>>
>> have you looked at hadoop.security.group.mapping.ldap.* in
>> hadoop-common/core-default.xml<http://hadoop.apache.org/docs/current2/hadoop-project-dist/hadoop-common/core-default.xml>
>>
>> additional resource<http://hakunamapdata.com/a-user-having-surprising-troubles-running-more-resource-intensive-hive-queries/>may help
>>
>>
>>
>>
>>
>>
>> On Tue, Dec 10, 2013 at 3:06 AM, YouPeng Yang <[EMAIL PROTECTED]>wrote:
>>
>>> Hi
>>>
>>>   In my cluster ,I want to have multiusers for different purpose.The
>>> usual method is to add a user through the OS  on  Hadoop NameNode .
>>>   I notice the hadoop also support to LDAP, could I add user through
>>> LDAP instead through OS? So that if a user is authenticated by the LDAP
>>> ,who will also access the HDFS directory?
>>>
>>>
>>> Regards
>>>
>>
>>
>
--
Jay Vyas
http://jayunit100.blogspot.com
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB