HDFS组权限问题,与Kerberos + AD集成的集群

时间:2015-11-02 20:32:32

标签: security hadoop hdfs kerberos

CDH群集与Kerberos + AD集成。

user_A已添加到论坛groupXAD_GROUP_X

user_B已添加到论坛groupXAD_GROUP_X

HDFS中有两个具有不同组权限的文件:

/user/file_a

  • 所有者:user_A,群组:groupA
  • Permissions:u=rwx, g=rwx, o=---

/user/file_b

  • 所有者:user_B,群组:AD_GROUP_X
  • Permissions:u=rwx, g=rwx, o=---

场景#1: user_A wants to access file /user/file_b ==> Success

场景#2: user_B wants to access file /user/file_a ==> failed预期为success

AD与群集集成后,HDFS只读取AD组,或者可以读取AD组和unix组。

1 个答案:

答案 0 :(得分:1)

可以配置和组合多个现有的映射提供程序,而无需在单个位置预期所有用户。即AD用户可以将LdapGroupMapping提供程序用于组。 Unix用户可以使用默认提供程序ShellBasedUnixGroupsMapping进行unix组映射。

可以如下配置。

<property>
    <name>hadoop.security.group.mapping</name>
    <value>org.apache.hadoop.security.CompositeGroupsMapping</value>
</property>

<property>
    <name>hadoop.security.group.mapping.providers</name>
    <value>unix,ad01,ad02</value>
</property>

<property>
    <name>hadoop.security.group.mapping.providers.combined</name>
    <value>true</value>
    <description>true or false to indicate whether groups from the providers are combined or not. If true, all the providers are tried and the final result is all the groups where the user exists. If false, the first group in which the user was found is returned. Default value is true.
    </description>
</property>

<property>
    <name>hadoop.security.group.mapping.provider.unix</name>
    <value>org.apache.hadoop.security.ShellBasedUnixGroupsMapping</value>
</property>

<property>
    <name>hadoop.security.group.mapping.provider.ad01</name>
    <value>org.apache.hadoop.security.LdapGroupsMapping</value>
</property>
<property>
    <name>hadoop.security.group.mapping.provider.ad02</name>
    <value>org.apache.hadoop.security.LdapGroupsMapping</value>
</property>

<property>
    <name>hadoop.security.group.mapping.provider.ad01.ldap.url</name>
    <value>ldap://</value>
</property>
<property>
    <name>hadoop.security.group.mapping.provider.ad02.ldap.url</name>
    <value>ldap://</value>
</property>

<property>
    <name>hadoop.security.group.mapping.provider.ad01.ldap.bind.user</name>
    <value></value>
</property>
<property>
    <name>hadoop.security.group.mapping.provider.ad02.ldap.bind.user</name>
    <value></value>
</property>

<property>
    <name>hadoop.security.group.mapping.provider.ad01.ldap.base</name>
    <value></value>
</property>
<property>
    <name>hadoop.security.group.mapping.provider.ad02.ldap.base</name>
    <value></value>
</property>

Support multiple group providers - JIRA

相关问题
最新问题