Hi Jessie & Ramesh, Just wanted to extend the pointers given by Ramesh.
The auth_to_local rules actually just help Hadoop components (HDFS, Hive, Kafka etc.) to convert Kerberos principal to Unix user name. If you are just using standalone KDC (no LDAP etc.), then you'll still need to create unix user & group(s) (on each Hadoop cluster node) for each Kerberos principal and then sync them to Ranger DB via usersync with Sync source set to "Unix". While auth_to_local rules will help Ranger plugins to determine the correct user and its group(s) and send this info to Ranger policy engine to be checked against users/groups defined in policy but auth_to_local rules will not help in getting Kerberos principals to Ranger DB. That has to be done manually as given in that StackOverflow link referenced earlier : <excerpt follow:> 1) Create Kafka principles in your KDC 2) Create local Kafka account on every node 3) Map principle to local account in auth_to_local 4) Use sync module to import local user to Ranger On a related note, if you have FreeIPA as Kerberos KDC, then you can use SSSD (configure via IPA client) to sync Kerberos principals as Unix users. Then you can tell Ranger to sync from "Unix" source into your Ranger DB. This way, you can cut down on #2 and #3 given above. Hope this helps. Thanks, VR On Wed, Jan 2, 2019 at 7:01 PM Ramesh Mani <rm...@hortonworks.com> wrote: > Hi Jessie, > > Good that you have a reference to solve this. > > Yes, you need to have auth_to_local configured for hadoop component in > core-site.xml, so that the kerberos principal from the components are > translated to user which you maintained in Ranger and policies in it. > > Please revert back if you have any issues. > > Thanks, > Ramesh > > From: Jessie Kao <gaojingxu....@gmail.com> > Reply-To: "user@ranger.apache.org" <user@ranger.apache.org> > Date: Wednesday, January 2, 2019 at 1:05 PM > To: "user@ranger.apache.org" <user@ranger.apache.org> > Subject: Re: Question: whether and how Ranger user list can be synced > with standalone MIT Kerberos principles > > looks like I can do auth_to_local and to Ranger... > Found a similar question: > https://stackoverflow.com/questions/42285976/ranger-user-sync-with-kerberos > > > Will try and followup if I still need help. Thank you! > > On Wed, Jan 2, 2019 at 12:01 PM Jessie Kao <gaojingxu....@gmail.com> > wrote: > >> Hi everyone, >> >> Happy New Year! >> >> This might be a dumb question... Really appreciate if someone could help >> me figure this out. >> >> We have 1) standalone KDC (no AD/LDAP, etc) 2)Kerberos-ed Hadoop >> clusters 3)Ranger Admin and Ranger HDFS plugin (configured for Kerberos-ed >> environment). >> >> My question is: whether and how Ranger user list can be synced with >> those Kerberos principles & how will this work. Fact is that those >> Kerberos principles created will not be synced to Ranger user list and >> users created in Ranger internally will not be a Kerberos principle... >> >> Thank you for your time. Really appreciate it if someone could help. >> >> Best, >> Jessie >> > -- -Rathor
