Just got reply from user mailing list from Natty, as follows.
And I'd like to discuss further here since it's more appropriate.
1. It's great idea that we just write a customized group mapping service to handle different mapping for AD user and service principal;
2. OK, I'd like to improve it to support multiple ADs;
3. Great to know it. I will try the group mapping with OpenLDAP making use of the current configuration properties.
And further, to support to do different mapping for different user/principal, and support multiple ADs, we also need extra properties to
configure what kind of user/principal (regarding domain/realm is an option) should use which group mapping mechanism.
To improve such things, I'm going to fire a JIRA for these. It would be great if you could continue to comment on it.
Thanks & regards,
From: Jonathan Natkins [mailto:[EMAIL PROTECTED]]
Sent: Friday, October 19, 2012 8:58 AM
To: [EMAIL PROTECTED]
Subject: Re: Secure hadoop and group permission on HDFS
1. To the best of my knowledge, you can only use one group mapping service at a time. In order to do what you're suggesting, you'd have to write a customized group mapping service.
2. Currently multiple ADs are not supported, but it's certainly an improvement that could be made.
3. The LdapGroupsMapping already supports OpenLDAP. It's pretty heavily configurable for the purpose of supporting multiple types of LDAP implementations. The defaults just happen to be geared towards Active Directory.
From: Zheng, Kai [mailto:[EMAIL PROTECTED]]
Sent: Friday, October 19, 2012 8:32 AM
To: [EMAIL PROTECTED]
Subject: Questions and possible improvements for LdapGroupsMapping
Regarding LdapGroupsMapping, I have following questions:
1. Is it possible to use ShellBasedUnixGroupsMapping for Hadoop service principals/users, and LdapGroupsMapping for end user accounts?
In our environment, normal end users (along with their groups info) for Hadoop cluster are from AD, and for them we prefer to use the ldap mapping; but for hdfs/mapred service principals, the default shell based one is enough, and we don't want to create the user/group entries in AD just for that.
Seems in current implementation, only one user group mapping provider can be configured.
2. Can we support multiple ADs? Hadoop users might come from more than ONE AD in big org.
3. Is there any technical issue not to support LDAPs like OpenLDAP? In my understanding, one possible difficulity might be that it's not easy to extract common
group lookup mechanism with common filters/configurations both applied for AD and OpenLDAP like, right?
I'm wondering if these are just limits for current implementation, and if so if we need to improve that. Might the community has already been going for that?