You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@hadoop.apache.org by chen dong <ch...@gmail.com> on 2016/10/14 02:43:33 UTC

Where does Hadoop get username and group mapping from for linux shell username and group mapping?

Hi, 

Currently I am working on a project to enhance the security for the Hadoop cluster. Eventually I will use Kerberos and Sentry for authentication and authorisation. And the username and group mapping will come from AD/LDAP (?), I think so. 

But now I am just learning and trying. I have a question and I haven’t figure it out is

where the username/group mapping information come from? 

As far as I know there is no username and group name for Hadoop and username and group name come from the client wherever from local client machine or Kerberos realm. But it is a little bit vague for me and can I get the implementation details here? 

Is this information from the machine where HDFS client is located or from the linux shell username and group on name node?  Or it depends on the context - even related to data node? What if the data nodes and name nodes have different users or user-group mapping in the local boxes. 

Regards,

Dong

Re: Where does Hadoop get username and group mapping from for linux shell username and group mapping?

Posted by Wei-Chiu Chuang <we...@cloudera.com>.

If you want to drill down a bit, I recommend read this doc too: http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/GroupsMapping.html <http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/GroupsMapping.html>
This is for trunk Hadoop 3.0, but most of it applies to 2.7/2.8

Wei-Chiu Chuang
A very happy Clouderan

> On Oct 14, 2016, at 11:33 AM, Ravi Prakash <ra...@gmail.com> wrote:
> 
> Chen! 
> 
> It gets it from whatever is configured on the Namenode. https://hadoop.apache.org/docs/r2.7.2/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html#Group_Mapping <https://hadoop.apache.org/docs/r2.7.2/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html#Group_Mapping>
> 
> HTH
> Ravi
> 
> On Thu, Oct 13, 2016 at 7:43 PM, chen dong <chendong.jy@gmail.com <ma...@gmail.com>> wrote:
> Hi, 
> 
> Currently I am working on a project to enhance the security for the Hadoop cluster. Eventually I will use Kerberos and Sentry for authentication and authorisation. And the username and group mapping will come from AD/LDAP (?), I think so. 
> 
> But now I am just learning and trying. I have a question and I haven’t figure it out is
> 
> where the username/group mapping information come from? 
> 
> As far as I know there is no username and group name for Hadoop and username and group name come from the client wherever from local client machine or Kerberos realm. But it is a little bit vague for me and can I get the implementation details here? 
> 
> Is this information from the machine where HDFS client is located or from the linux shell username and group on name node?  Or it depends on the context - even related to data node? What if the data nodes and name nodes have different users or user-group mapping in the local boxes. 
> 
> Regards,
> 
> Dong
> 
>

Re: Where does Hadoop get username and group mapping from for linux shell username and group mapping?

Posted by Ravi Prakash <ra...@gmail.com>.

Chen!

It gets it from whatever is configured on the Namenode.
https://hadoop.apache.org/docs/r2.7.2/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html#Group_Mapping

HTH
Ravi

On Thu, Oct 13, 2016 at 7:43 PM, chen dong <ch...@gmail.com> wrote:

> Hi,
>
> Currently I am working on a project to enhance the security for the Hadoop
> cluster. Eventually I will use Kerberos and Sentry for authentication and
> authorisation. And the username and group mapping will come from AD/LDAP
> (?), I think so.
>
> But now I am just learning and trying. I have a question and I haven’t
> figure it out is
>
> *where the username/group mapping information come from? *
>
> As far as I know there is no username and group name for Hadoop and
> username and group name come from the client wherever from local client
> machine or Kerberos realm. But it is a little bit vague for me and can I
> get the implementation details here?
>
> Is this information from the machine where HDFS client is located or from
> the linux shell username and group on name node?  Or it depends on the
> context - even related to data node? What if the data nodes and name nodes
> have different users or user-group mapping in the local boxes.
>
> Regards,
>
> Dong
>
>