Jun,
It is not something specific to hadoop. It is general configuration and
management of user accounts in Linux. LDAP is a directory standard that is
used for managing user accounts apart from other things. Active
Directory(Microsoft), OpenLDAP are some of the LDAP server implementations
available. You can manage your user accounts (id and password) in LDAP and
configure all you Linux machines to look up user accounts there instead of
creating accounts locally in each node. When a user logs into a Linux node,
he is authenticated against the LDAP server. LDAP server is the source of
truth for user accounts and user addition/modifications are done in one
place making it easier to manage.
Few documents:
http://karmak.org/archive/2003/02/ldap/ldap-linux.htm
http://people.redhat.com/alikins/ldap/ldap.html
You can search online for better documentation on setup and configuration.
Regards,
Rohini
On Thu, Feb 14, 2013 at 12:56 PM, Jun Yuan-Murray <[email protected]> wrote:
> Hi Alejandro,
>
> Thanks for your replying -- Can you please give me a bit more hint of
> "configure your nodes to use LDAP as their source of user provisioning." I
> searched the document of hadoop but saw no clues. I have oozie uid and it
> is working fine with securely impersonates other users but now I am having
> all these real unix users on cluster and it is annoying to manage them. The
> cluster task-controller complains "no such user" if I do not provision the
> real user id on namenode....what did I miss? I appreciate your input...
>
> Thanks
>
> -Jun
>
> On Thu, Feb 14, 2013 at 3:34 PM, Alejandro Abdelnur <[email protected]
> >wrote:
>
> > Jun,
> >
> > With Kerberos enabled, you need in your Hadoop cluster (all nodes) a unix
> > id for every user submitting jobs to the cluster (via proxy user -like
> > Oozie- or directly).
> >
> > You can configure your nodes to use LDAP as their source of user
> > provisioning.
> >
> > Thx
> >
> >
> > On Thu, Feb 14, 2013 at 12:29 PM, Jun Yuan-Murray <[email protected]>
> > wrote:
> >
> > > ==Sorry for the spam if this mail has been sent more than once===If
> > failed
> > > when I first tired ... ========
> > >
> > > Hello all,
> > >
> > > I am using the secure impersonation feature of oozie to enable
> admin(with
> > > credentials) run jobs on behalf of proxy
> > > users(without credentials). I have a naive question ...
> > >
> > > For the ease of user account management I would rather keep all these
> > users
> > > and their groups somewhere else
> > > maybe in an active directory instead of on the cluster namenode. Does
> > > secure impersonation of oozie allow the
> > > admin to run job on behalf of fake users (not really unix users)? or I
> > have
> > > to keep all the unix users?
> > >
> > > Thanks very much!
> > >
> > > --
> > >
> > > Best,
> > >
> > > Jun Yuan-Murray
> > >
> > > -------------------------------------------------------------
> > > PhD Candidate, CS Dept, SPLAT
> > > Stony Brook University
> > >
> >
> >
> >
> > --
> > Alejandro
> >
>
>
>
> --
>
> Best,
>
> Jun Yuan-Murray
>
> -------------------------------------------------------------
> PhD Candidate, CS Dept, SPLAT
> Stony Brook University
>
