Many thanks Rohini! This makes a lot of sense to me. On Sat, Feb 16, 2013 at 10:44 PM, Rohini Palaniswamy < [email protected]> wrote:
> Jun, > It is not something specific to hadoop. It is general configuration and > management of user accounts in Linux. LDAP is a directory standard that is > used for managing user accounts apart from other things. Active > Directory(Microsoft), OpenLDAP are some of the LDAP server implementations > available. You can manage your user accounts (id and password) in LDAP and > configure all you Linux machines to look up user accounts there instead of > creating accounts locally in each node. When a user logs into a Linux node, > he is authenticated against the LDAP server. LDAP server is the source of > truth for user accounts and user addition/modifications are done in one > place making it easier to manage. > > Few documents: > http://karmak.org/archive/2003/02/ldap/ldap-linux.htm > http://people.redhat.com/alikins/ldap/ldap.html > > You can search online for better documentation on setup and configuration. > > Regards, > Rohini > > > On Thu, Feb 14, 2013 at 12:56 PM, Jun Yuan-Murray <[email protected]> > wrote: > > > Hi Alejandro, > > > > Thanks for your replying -- Can you please give me a bit more hint of > > "configure your nodes to use LDAP as their source of user provisioning." > I > > searched the document of hadoop but saw no clues. I have oozie uid and it > > is working fine with securely impersonates other users but now I am > having > > all these real unix users on cluster and it is annoying to manage them. > The > > cluster task-controller complains "no such user" if I do not provision > the > > real user id on namenode....what did I miss? I appreciate your input... > > > > Thanks > > > > -Jun > > > > On Thu, Feb 14, 2013 at 3:34 PM, Alejandro Abdelnur <[email protected] > > >wrote: > > > > > Jun, > > > > > > With Kerberos enabled, you need in your Hadoop cluster (all nodes) a > unix > > > id for every user submitting jobs to the cluster (via proxy user -like > > > Oozie- or directly). > > > > > > You can configure your nodes to use LDAP as their source of user > > > provisioning. > > > > > > Thx > > > > > > > > > On Thu, Feb 14, 2013 at 12:29 PM, Jun Yuan-Murray <[email protected]> > > > wrote: > > > > > > > ==Sorry for the spam if this mail has been sent more than once===If > > > failed > > > > when I first tired ... ======== > > > > > > > > Hello all, > > > > > > > > I am using the secure impersonation feature of oozie to enable > > admin(with > > > > credentials) run jobs on behalf of proxy > > > > users(without credentials). I have a naive question ... > > > > > > > > For the ease of user account management I would rather keep all these > > > users > > > > and their groups somewhere else > > > > maybe in an active directory instead of on the cluster namenode. Does > > > > secure impersonation of oozie allow the > > > > admin to run job on behalf of fake users (not really unix users)? or > I > > > have > > > > to keep all the unix users? > > > > > > > > Thanks very much! > > > > > > > > -- > > > > > > > > Best, > > > > > > > > Jun Yuan-Murray > > > > > > > > ------------------------------------------------------------- > > > > PhD Candidate, CS Dept, SPLAT > > > > Stony Brook University > > > > > > > > > > > > > > > > -- > > > Alejandro > > > > > > > > > > > -- > > > > Best, > > > > Jun Yuan-Murray > > > > ------------------------------------------------------------- > > PhD Candidate, CS Dept, SPLAT > > Stony Brook University > > > -- Best, Jun Yuan-Murray ------------------------------------------------------------- PhD Candidate, CS Dept, SPLAT Stony Brook University
