Hi Bosco, Thanks for your help. For this test I'm not using Kerberos, I'm just testing a simple pipeline with Hive+Ranger and some external tables in S3 and see what are the requirements. >From your comments, I understand I need to setup SSSD as explained in the link you provided: https://docs.hortonworks.com/HDPDocuments/Ambari-2.6.2.0/bk_ambari-security/content/setting_up_hadoop_group_mappping_for_ldap_ad.html and having also the sync for Ranger would allow me to create policies.
Why do you say "LdapGroupsMapping is not recommended". It seems the only way to ingest and use information from LDAP. Thanks. On Mon, 25 Mar 2019 at 16:47, Don Bosco Durai <bo...@apache.org> wrote: > There are few things: > > 1. In Kerberos/secure mode, users needs to be materialized on each > node. If you are using AD/LDAP, then you can use SSSD (or equivalent), else > you need to create the users explicitly on each node using ansible or > puppet or manually… > 2. The group mapping can be via LDAP or by groups from unix (SSSD will > also do this you). FYI, LdapGroupsMapping is not recommended due to > performance reasons. FYI, if you are using SSSD, it will get the groups > from LDAP/AD > 3. In Kerberos/secure mode, you need to materialize users on each node > regardless whether you are accessing S3 or HDFS. This is a YARN > requirement. So the that the YARN job process will run as the end user. > 4. The users and groups in Ranger are just for convenience to create > policy. Having it or not in Ranger, doesn’t affect the service. However, > you will not be able to create the policies in Ranger. During testing or > PoC, if you don’t want to sync, you can manually add to Ranger to using > Ranger Admin UI > > > > Bosco > > > > > > *From: *Odon Copon <odonco...@gmail.com> > *Reply-To: *<user@ranger.apache.org> > *Date: *Monday, March 25, 2019 at 8:36 AM > *To: *<user@ranger.apache.org> > *Subject: *Ranger + Hive > > > > Hi, > > On my last test using HDFS + Ranger I had to sync my LDAP groups with > Hadoop based on the following link: > https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/setting_up_hadoop_group_mappping_for_ldap_ad.html > > > > That means users and groups had to be in Ranger and Hadoop cluster to make > policies to work. > > But what about Hive + Ranger? > > Is that mapping also required? > > do I need users also to be mapped in Hadoop cluster? > > what if tables are in S3 instead of HDFS per example? > > > > Thanks. >
