Each host that comprises a node in a Cloudera cluster runs an operating system, such as CentOS or Oracle Linux.
At the OS-level, there are user:group accounts created during installation that map to the services running on that specific node of the cluster.The default shell-based group mapping provider, org.apache.hadoop.security.ShellBasedUnixGroupsMapping, handles the mapping from the local host system (the OS) to the specific cluster service, such as HDFS. The hosts authenticate using these local OS accounts before processes are allowed to run on the node.
CDH的每个节点都会运行像CentOS这种操作系统。在OS级别,在安装期间会创建映射到节点上服务的linux系统用户,
org.apache.hadoop.security.ShellBasedUnixGroupsMapping就是默认的基于shell的组映射器,用来把linux用户映射到服务,比如hdfs:hdfs用户映射到hdfs服务,如果不用kerberos,认证是通过linux认证的。
For clusters integrated with Kerberos for authentication, the hosts must also provide Kerberos tickets before processes can run on the node. The cluster can use the organization’s LDAP directory service to provide the login credentials, including Kerberos tickets, to authenticate transparently while the system runs. That means that the local user:group accounts on each host must be mapped to LDAP accounts. To map local user:group accounts to an LDAP service:
如果使用kerberos认证,节点必须提供kerberos的票据,集群可以使用LDAP认证,这意味着linux系统用户必须映射到ldap账号,
- Use tools such as SSSD (Systems Security Services Daemon) or Centrify Server Suite (see Identity and Access management for Cloudera).
使用SSSD或者CSS
- The Hadoop LdapGroupsMapping group mapping mechanism. The LdapGroupsMapping library may not be as robust a solution needed for large organizations in terms of scalability and manageability, especially for organizations managing identity across multiple systems and not exclusively for Hadoop clusters. Support for the LdapGroupsMapping library is not consistent across all operating systems.
Hadoop LdapGroupsMapping组映射机制。就可伸缩性和可管理性而言,LdapGroupsMapping库可能不是大型组织所需要的健壮解决方案,特别是对于跨多个系统管理身份的组织,而不仅仅是针对Hadoop集群。对LdapGroupsMapping库的支持在所有操作系统中并不一致。
- Do not use Winbind to map Linux user:group accounts to Active Directory. It cannot scale, impedes cluster performance, and is not supported.
不要使用Winbind将Linux user:group帐户映射到Active Directory。它不能扩展,妨碍集群性能,而且不受支持。
- Use the same user:group mappings across all cluster nodes, for ease of management.
使用相同的userLgroup 映射到所有的节点,以方便管理
- Use either Cloudera Manager or the command-line process detailed below.
使用Cloudera管理器或下面详细介绍的命令行进程
The local user:group accounts must be mapped to LDAP for group mappings in Hadoop. You must create the users and groups for your Hadoop services in LDAP.
To integrate the cluster with an LDAP service, the user:group relationships must be contained in the LDAP directory. The admin must create the user accounts and define groups for user:group relationships on each host.
对于Hadoop中的组映射,必须将本地user:group帐户映射到LDAP。必须在LDAP中为Hadoop服务创建用户和组。
要将集群与LDAP服务集成,必须将user:group关系包含在LDAP目录中。管理员必须为每个主机上的user:group关系创建用户帐户并定义组。
以下是CDH服务的user:group列表
如果任何服务的默认值已经更改,则使用自定义值在LDAP服务器中为该服务创建用户并配置组,而不是使用下表中列出的默认值。例如,您更改了Cloudera Manager管理控制台中的默认值,以定制服务的系统用户或系统组设置。
Cloudera Manager 5.3 (and later releases) can be deployed in single user mode. In single user mode, Hadoop users and groups are subsumed by cloudera-scm:cloudera-scm. Cloudera Manager starts all Cloudera Manager Agent processes and services running on the nodes in the cluster as a unit owned by this cloudera-scm:cloudera-scm. Single user mode is not recommended for production clusters.
CM5.3之后新增单用户模式,在单用户模式,Hadoop用户和组都使用cloudera-scm:cloudera-scm,CM使用cloudera-scm:cloudera-scm 用户启动所有的agent进程和服务。单用户模式在生产中不推荐。
In addition:
For Sentry with Hive, add these properties on the HiveServer2 node.
For Sentry with Impala, add these properties to all hosts.
See Users and Groups in Sentry for more information.
额外的:
hive整合sentry,在HS2节点增加这些属性
impala整合sentry,在所有节点增加这些属性
Users and Groups in Sentry
使用CM
所需的最低角色:配置器(也由集群管理员提供,完全管理员)
尽管上述更改对于配置Active Directory的组映射已经足够了,但对于OpenLDAP,可能还需要对其余的缺省配置进行一些更改。
使用命令行
Add the following properties to the core-site.xml on the NameNode:
2万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
