Hello Aneela, You can refer to this page for instructions on hadoop impersonation : http://hadoopsecurity.org/wiki/HowToImpersonate
thanks, Benoy On Thu, Jun 23, 2016 at 1:15 PM, Chris Nauroth <[email protected]> wrote: > Hello Aneela, > > If your cluster has enabled Kerberos security, then the HADOOP_USER_NAME > environment variable has no effect. > > It sounds like you want to test a proxy user scenario, in which > authentication is performed as user "hdfs" via Kerberos, but then execution > of the request (including any group membership resolution and authorization > checks) proceeds as user "michael". There is a different environment > variable named HADOOP_PROXY_USER that can be set to achieve this. > > Does that help? > > --Chris Nauroth > > From: Aneela Saleem <[email protected]> > Date: Thursday, June 23, 2016 at 12:45 PM > To: "[email protected]" <[email protected]> > Subject: Kerberos Impersonation in Hadoop > > Hi all, > > I'm trying Kerberos Impersonation in Hadoop. But i can't get the clear > idea what the impersonation is? Whether it's effective in doing > HADOOP_USER_NAME from command line or it's something else. It's confusing. > I can't understand it from the documentation. > > Actually what i'm trying to do is to simulate LDAP users on my system when > accessing HDFS. Since i'm using group mapping from LDAP that's working fine > when i run *'hdfs groups' *command. I just want to authenticate whether > the user i pass in *HADOOP_USER_NAME* from command line when accessing > HDFS, is actually impersonating an LDAP user or not? How can i verify it. > Let's have a look on following usecase: > > -I have a service principal i.e., hdfs/platalytics.com@platalyticsrealm > -I initiate the authenticate request using this service principal and got > TGT for this principal > -Now when i run the command with any proxy user whether it exists or not > *-HADOOP_USER_NAME=michael hdfs dfs -mkdir /temp *it allows to create the > temp directory on behalf of 'hdfs' ( michael is an LDAP user) > > But when i initiate an authenticate request through user principal i.e., > michael/platalytics.com@platalyticsrealm > and run the command *hdfs dfs -mkdir /temp *it says michael doestn't have > enough permissions. > > How the things are working i can't understand. How can i test LDAP users? > I have not configured PAM for ldap authentication, i want to test it > without PAM. > > I have enabled impersonation with following configuration parameters: > > <property> > <name>hadoop.proxyuser.hdfs.groups</name> > <value>Admin,hdfs</value></property><property> > <name>hadoop.proxyuser.hdfs.hosts</name> > <value>platalytics.com</value></property> > > Thanks > >
