HDFS 组权限问题,集群与 Kerberos + AD 集成
HDFS group Permissions issue, Cluster integrated with Kerberos + AD
CDH 集群与 Kerberos + AD 集成。
user_A 添加到组 groupX 和 AD_GROUP_X
user_B 添加到组 groupX 和 AD_GROUP_X
HDFS 中有两个不同组权限的文件:
/user/file_a
- 所有者:
user_A,群组:groupA
- 权限:
u=rwx, g=rwx, o=---
/user/file_b
- 所有者:
user_B,群组:AD_GROUP_X
- 权限:
u=rwx, g=rwx, o=---
场景#1:
user_A wants to access file /user/file_b ==> Success
场景#2:
user_B wants to access file /user/file_a ==> failed 预期是 success
一旦 AD 与集群集成,HDFS 只读取 AD 组,或者它可以读取 AD 组和 unix 组。
可以配置和组合多个现有的地图提供者,而无需期望所有用户都在一个地方。即 AD 用户可以为组使用 LdapGroupMapping 提供商。 Unix 用户可以使用默认提供程序 ShellBasedUnixGroupsMapping 进行 unix 组映射。
可以如下图配置。
<property>
<name>hadoop.security.group.mapping</name>
<value>org.apache.hadoop.security.CompositeGroupsMapping</value>
</property>
<property>
<name>hadoop.security.group.mapping.providers</name>
<value>unix,ad01,ad02</value>
</property>
<property>
<name>hadoop.security.group.mapping.providers.combined</name>
<value>true</value>
<description>true or false to indicate whether groups from the providers are combined or not. If true, all the providers are tried and the final result is all the groups where the user exists. If false, the first group in which the user was found is returned. Default value is true.
</description>
</property>
<property>
<name>hadoop.security.group.mapping.provider.unix</name>
<value>org.apache.hadoop.security.ShellBasedUnixGroupsMapping</value>
</property>
<property>
<name>hadoop.security.group.mapping.provider.ad01</name>
<value>org.apache.hadoop.security.LdapGroupsMapping</value>
</property>
<property>
<name>hadoop.security.group.mapping.provider.ad02</name>
<value>org.apache.hadoop.security.LdapGroupsMapping</value>
</property>
<property>
<name>hadoop.security.group.mapping.provider.ad01.ldap.url</name>
<value>ldap://</value>
</property>
<property>
<name>hadoop.security.group.mapping.provider.ad02.ldap.url</name>
<value>ldap://</value>
</property>
<property>
<name>hadoop.security.group.mapping.provider.ad01.ldap.bind.user</name>
<value></value>
</property>
<property>
<name>hadoop.security.group.mapping.provider.ad02.ldap.bind.user</name>
<value></value>
</property>
<property>
<name>hadoop.security.group.mapping.provider.ad01.ldap.base</name>
<value></value>
</property>
<property>
<name>hadoop.security.group.mapping.provider.ad02.ldap.base</name>
<value></value>
</property>
CDH 集群与 Kerberos + AD 集成。
user_A 添加到组 groupX 和 AD_GROUP_X
user_B 添加到组 groupX 和 AD_GROUP_X
HDFS 中有两个不同组权限的文件:
/user/file_a
- 所有者:
user_A,群组:groupA - 权限:
u=rwx, g=rwx, o=---
/user/file_b
- 所有者:
user_B,群组:AD_GROUP_X - 权限:
u=rwx, g=rwx, o=---
场景#1:
user_A wants to access file /user/file_b ==> Success
场景#2:
user_B wants to access file /user/file_a ==> failed 预期是 success
一旦 AD 与集群集成,HDFS 只读取 AD 组,或者它可以读取 AD 组和 unix 组。
可以配置和组合多个现有的地图提供者,而无需期望所有用户都在一个地方。即 AD 用户可以为组使用 LdapGroupMapping 提供商。 Unix 用户可以使用默认提供程序 ShellBasedUnixGroupsMapping 进行 unix 组映射。
可以如下图配置。
<property>
<name>hadoop.security.group.mapping</name>
<value>org.apache.hadoop.security.CompositeGroupsMapping</value>
</property>
<property>
<name>hadoop.security.group.mapping.providers</name>
<value>unix,ad01,ad02</value>
</property>
<property>
<name>hadoop.security.group.mapping.providers.combined</name>
<value>true</value>
<description>true or false to indicate whether groups from the providers are combined or not. If true, all the providers are tried and the final result is all the groups where the user exists. If false, the first group in which the user was found is returned. Default value is true.
</description>
</property>
<property>
<name>hadoop.security.group.mapping.provider.unix</name>
<value>org.apache.hadoop.security.ShellBasedUnixGroupsMapping</value>
</property>
<property>
<name>hadoop.security.group.mapping.provider.ad01</name>
<value>org.apache.hadoop.security.LdapGroupsMapping</value>
</property>
<property>
<name>hadoop.security.group.mapping.provider.ad02</name>
<value>org.apache.hadoop.security.LdapGroupsMapping</value>
</property>
<property>
<name>hadoop.security.group.mapping.provider.ad01.ldap.url</name>
<value>ldap://</value>
</property>
<property>
<name>hadoop.security.group.mapping.provider.ad02.ldap.url</name>
<value>ldap://</value>
</property>
<property>
<name>hadoop.security.group.mapping.provider.ad01.ldap.bind.user</name>
<value></value>
</property>
<property>
<name>hadoop.security.group.mapping.provider.ad02.ldap.bind.user</name>
<value></value>
</property>
<property>
<name>hadoop.security.group.mapping.provider.ad01.ldap.base</name>
<value></value>
</property>
<property>
<name>hadoop.security.group.mapping.provider.ad02.ldap.base</name>
<value></value>
</property>