This is an automated email from the ASF dual-hosted git repository.
chengpan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kyuubi.git
The following commit(s) were added to refs/heads/master by this push:
new 5fc26516f1 [KYUUBI #6628] [DOCS] Improve docs for GROUP Share Level
5fc26516f1 is described below
commit 5fc26516f161fa489136b97de809d3dc0944faba
Author: futureltl <[email protected]>
AuthorDate: Wed Aug 21 14:34:15 2024 +0800
[KYUUBI #6628] [DOCS] Improve docs for GROUP Share Level
# :mag: Description
## Issue References ๐
This pull request fixes #3897
## Describe Your Solution ๐ง
enrich the description for GROUP Share Level.
## Types of changes :bookmark:
- [ ] Bugfix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to change)
## Test Plan ๐งช
#### Behavior Without This Pull Request :coffin:
#### Behavior With This Pull Request :tada:
#### Related Unit Tests
---
# Checklist ๐
- [ ] This patch was not authored or co-authored using [Generative
Tooling](https://www.apache.org/legal/generative-tooling.html)
**Be nice. Be informative.**
Closes #6628 from futureltl/master.
Closes #6628
ba18bfce4 [futureltl] Improve docs for GROUP Share Level
3b19521e1 [futureltl] Improve docs for GROUP Share Level
da7d9b61e [Cheng Pan] Update docs/deployment/engine_share_level.md
674066a08 [Cheng Pan] Update docs/deployment/engine_share_level.md
c3a373370 [Cheng Pan] Update docs/deployment/engine_share_level.md
7389cedd2 [futureltl] Improve docs for GROUP Share Level
Lead-authored-by: futureltl <[email protected]>
Co-authored-by: Cheng Pan <[email protected]>
Signed-off-by: Cheng Pan <[email protected]>
---
docs/deployment/engine_share_level.md | 53 +++++++++++++++++++++++++++++++++++
1 file changed, 53 insertions(+)
diff --git a/docs/deployment/engine_share_level.md
b/docs/deployment/engine_share_level.md
index 4a7b680cb4..7a11260bd8 100644
--- a/docs/deployment/engine_share_level.md
+++ b/docs/deployment/engine_share_level.md
@@ -108,6 +108,59 @@ It follows the [Hadoop
GroupsMapping](https://hadoop.apache.org/docs/current/had
The mechanisms of `SparkContext`, `SparkSession` and TTL works similarly to
USER share level.
+Here is an example to configure `HadoopGroupProvider` to use LDAP-based group
mapping.
+1. Add the properties shown in the example below to the `core-site.xml` file.
You will need to provide the value for the bind user, the bind password, and
other properties specific to your LDAP instance, and make sure that object
class, user, and group filters match the values specified in your LDAP instance.
+
+```xml
+<property
+ <name>hadoop.security.group.mapping</name>
+ <value>org.apache.hadoop.security.LdapGroupsMapping</value>
+</property>
+
+<property>
+ <name>hadoop.security.group.mapping.ldap.url</name>
+ <value>ldap://localhost:389</value>
+</property>
+
+<property>
+ <name>hadoop.security.group.mapping.ldap.base</name>
+ <value>dc=example,dc=com</value>
+</property>
+
+<property>
+ <name>hadoop.security.group.mapping.ldap.bind.user</name>
+ <value>cn=Manager,dc=example,dc=com</value>
+</property>
+
+<property>
+ <name>hadoop.security.group.mapping.ldap.bind.password</name>
+ <value>example</value>
+</property>
+
+<property>
+ <name>hadoop.security.group.mapping.ldap.search.filter.user</name>
+ <value>(&(objectClass=posixAccount)(cn={0}))</value>
+</property>
+
+<property>
+ <name>hadoop.security.group.mapping.ldap.search.filter.group</name>
+ <value>(objectClass=posixGroup)</value>
+</property>
+
+<property>
+ <name>hadoop.security.group.mapping.ldap.search.attr.member</name>
+ <value>memberuid</value>
+</property>
+
+<property>
+ <name>hadoop.security.group.mapping.ldap.search.attr.group.name</name>
+ <value>cn</value>
+</property>
+```
+
+2. Use the applicable instructions to re-start the HDFS NameNode and the YARN
ResourceManager.
+3. Verify LDAP group mapping by running the `hdfs groups` command. This
command will fetch groups from LDAP for the current user. Note that with LDAP
group mapping configured, the HDFS permissions can leverage groups defined in
LDAP for access control.
+
**Tips for authorization in GROUP share level**:
The session user and the primary group name(as sparkUser/execute user) will be
both accessible at engine-side.
