You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@hadoop.apache.org by "Zheng, Kai" <ka...@intel.com> on 2013/06/29 01:29:23 UTC

Could we use the same identity store for user groups mapping in MIT Kerberos + OpenLDAP setup

Hi all,

I have a setup using MIT Kerberos with OpenLDAP as the user database. It's desired to use the same user database that holds all the kinit principal accounts for the identity store to be used for groups mapping provider via LdapGroupsMappingProvider. However, I found there're 3 issues:

1.       For Kerberos principal object, there're no appropriate attribute to determine the short name. As you know Hadoop uses short name in ACL rules.

2.       We know how to add a principal for user account, but how to add a group so that it allows to do ACL via group?

3.       Related to 2, no attribute for Kerberos principal object is found that can be used to determine the user's groups.
I'm wondering if there's something wrong in my setup. Any extra LDAP schema could be applied to allow all of these?
I think this case might not be supported but it makes sense in such setup to ease the deployment. Of course AD can be used for such consideration, but we might face existing deployment that uses MIT Kerberos and OpenLDAP.

Thanks for your help.

Regarding,
Kai

RE: Could we use the same identity store for user groups mapping in MIT Kerberos + OpenLDAP setup

Posted by "Zheng, Kai" <ka...@intel.com>.

Azuryy thanks for your info. I would take time to learn about whosso.

Any more comment or thought here? Thanks.

Regards,
Kai

From: Azuryy Yu [mailto:azuryyyu@gmail.com]
Sent: Saturday, June 29, 2013 8:37 AM
To: user@hadoop.apache.org
Subject: Re: Could we use the same identity store for user groups mapping in MIT Kerberos + OpenLDAP setup

you can try whosso, which is simple than kerbose.

--Send from my Sony mobile.
On Jun 29, 2013 7:29 AM, "Zheng, Kai" <ka...@intel.com>> wrote:
Hi all,

I have a setup using MIT Kerberos with OpenLDAP as the user database. It's desired to use the same user database that holds all the kinit principal accounts for the identity store to be used for groups mapping provider via LdapGroupsMappingProvider. However, I found there're 3 issues:

1.       For Kerberos principal object, there're no appropriate attribute to determine the short name. As you know Hadoop uses short name in ACL rules.

2.       We know how to add a principal for user account, but how to add a group so that it allows to do ACL via group?

3.       Related to 2, no attribute for Kerberos principal object is found that can be used to determine the user's groups.
I'm wondering if there's something wrong in my setup. Any extra LDAP schema could be applied to allow all of these?
I think this case might not be supported but it makes sense in such setup to ease the deployment. Of course AD can be used for such consideration, but we might face existing deployment that uses MIT Kerberos and OpenLDAP.

Thanks for your help.

Regarding,
Kai

RE: Could we use the same identity store for user groups mapping in MIT Kerberos + OpenLDAP setup

Posted by "Zheng, Kai" <ka...@intel.com>.

Azuryy thanks for your info. I would take time to learn about whosso.

Any more comment or thought here? Thanks.

Regards,
Kai

From: Azuryy Yu [mailto:azuryyyu@gmail.com]
Sent: Saturday, June 29, 2013 8:37 AM
To: user@hadoop.apache.org
Subject: Re: Could we use the same identity store for user groups mapping in MIT Kerberos + OpenLDAP setup

you can try whosso, which is simple than kerbose.

--Send from my Sony mobile.
On Jun 29, 2013 7:29 AM, "Zheng, Kai" <ka...@intel.com>> wrote:
Hi all,

I have a setup using MIT Kerberos with OpenLDAP as the user database. It's desired to use the same user database that holds all the kinit principal accounts for the identity store to be used for groups mapping provider via LdapGroupsMappingProvider. However, I found there're 3 issues:

1.       For Kerberos principal object, there're no appropriate attribute to determine the short name. As you know Hadoop uses short name in ACL rules.

2.       We know how to add a principal for user account, but how to add a group so that it allows to do ACL via group?

3.       Related to 2, no attribute for Kerberos principal object is found that can be used to determine the user's groups.
I'm wondering if there's something wrong in my setup. Any extra LDAP schema could be applied to allow all of these?
I think this case might not be supported but it makes sense in such setup to ease the deployment. Of course AD can be used for such consideration, but we might face existing deployment that uses MIT Kerberos and OpenLDAP.

Thanks for your help.

Regarding,
Kai

RE: Could we use the same identity store for user groups mapping in MIT Kerberos + OpenLDAP setup

Posted by "Zheng, Kai" <ka...@intel.com>.

Azuryy thanks for your info. I would take time to learn about whosso.

Any more comment or thought here? Thanks.

Regards,
Kai

From: Azuryy Yu [mailto:azuryyyu@gmail.com]
Sent: Saturday, June 29, 2013 8:37 AM
To: user@hadoop.apache.org
Subject: Re: Could we use the same identity store for user groups mapping in MIT Kerberos + OpenLDAP setup

you can try whosso, which is simple than kerbose.

--Send from my Sony mobile.
On Jun 29, 2013 7:29 AM, "Zheng, Kai" <ka...@intel.com>> wrote:
Hi all,

I have a setup using MIT Kerberos with OpenLDAP as the user database. It's desired to use the same user database that holds all the kinit principal accounts for the identity store to be used for groups mapping provider via LdapGroupsMappingProvider. However, I found there're 3 issues:

1.       For Kerberos principal object, there're no appropriate attribute to determine the short name. As you know Hadoop uses short name in ACL rules.

2.       We know how to add a principal for user account, but how to add a group so that it allows to do ACL via group?

3.       Related to 2, no attribute for Kerberos principal object is found that can be used to determine the user's groups.
I'm wondering if there's something wrong in my setup. Any extra LDAP schema could be applied to allow all of these?
I think this case might not be supported but it makes sense in such setup to ease the deployment. Of course AD can be used for such consideration, but we might face existing deployment that uses MIT Kerberos and OpenLDAP.

Thanks for your help.

Regarding,
Kai

RE: Could we use the same identity store for user groups mapping in MIT Kerberos + OpenLDAP setup

Posted by "Zheng, Kai" <ka...@intel.com>.

Azuryy thanks for your info. I would take time to learn about whosso.

Any more comment or thought here? Thanks.

Regards,
Kai

From: Azuryy Yu [mailto:azuryyyu@gmail.com]
Sent: Saturday, June 29, 2013 8:37 AM
To: user@hadoop.apache.org
Subject: Re: Could we use the same identity store for user groups mapping in MIT Kerberos + OpenLDAP setup

you can try whosso, which is simple than kerbose.

--Send from my Sony mobile.
On Jun 29, 2013 7:29 AM, "Zheng, Kai" <ka...@intel.com>> wrote:
Hi all,

I have a setup using MIT Kerberos with OpenLDAP as the user database. It's desired to use the same user database that holds all the kinit principal accounts for the identity store to be used for groups mapping provider via LdapGroupsMappingProvider. However, I found there're 3 issues:

1.       For Kerberos principal object, there're no appropriate attribute to determine the short name. As you know Hadoop uses short name in ACL rules.

2.       We know how to add a principal for user account, but how to add a group so that it allows to do ACL via group?

3.       Related to 2, no attribute for Kerberos principal object is found that can be used to determine the user's groups.
I'm wondering if there's something wrong in my setup. Any extra LDAP schema could be applied to allow all of these?
I think this case might not be supported but it makes sense in such setup to ease the deployment. Of course AD can be used for such consideration, but we might face existing deployment that uses MIT Kerberos and OpenLDAP.

Thanks for your help.

Regarding,
Kai

Re: Could we use the same identity store for user groups mapping in MIT Kerberos + OpenLDAP setup

Posted by Azuryy Yu <az...@gmail.com>.

you can try whosso, which is simple than kerbose.

--Send from my Sony mobile.
On Jun 29, 2013 7:29 AM, "Zheng, Kai" <ka...@intel.com> wrote:

>  Hi all,****
>
> ** **
>
> I have a setup using MIT Kerberos with OpenLDAP as the user database. It’s
> desired to use the same user database that holds all the kinit principal
> accounts for the identity store to be used for groups mapping provider via
> LdapGroupsMappingProvider. However, I found there’re 3 issues:****
>
> **1.       **For Kerberos principal object, there’re no appropriate
> attribute to determine the short name. As you know Hadoop uses short name
> in ACL rules.****
>
> **2.       **We know how to add a principal for user account, but how to
> add a group so that it allows to do ACL via group?****
>
> **3.       **Related to 2, no attribute for Kerberos principal object is
> found that can be used to determine the user’s groups.****
>
> I’m wondering if there’s something wrong in my setup. Any extra LDAP
> schema could be applied to allow all of these?****
>
> I think this case might not be supported but it makes sense in such setup
> to ease the deployment. Of course AD can be used for such consideration,
> but we might face existing deployment that uses MIT Kerberos and OpenLDAP.
> ****
>
> ** **
>
> Thanks for your help. ****
>
> ** **
>
> Regarding,****
>
> Kai****
>
> ** **
>

Re: Could we use the same identity store for user groups mapping in MIT Kerberos + OpenLDAP setup

Posted by Azuryy Yu <az...@gmail.com>.

you can try whosso, which is simple than kerbose.

--Send from my Sony mobile.
On Jun 29, 2013 7:29 AM, "Zheng, Kai" <ka...@intel.com> wrote:

>  Hi all,****
>
> ** **
>
> I have a setup using MIT Kerberos with OpenLDAP as the user database. It’s
> desired to use the same user database that holds all the kinit principal
> accounts for the identity store to be used for groups mapping provider via
> LdapGroupsMappingProvider. However, I found there’re 3 issues:****
>
> **1.       **For Kerberos principal object, there’re no appropriate
> attribute to determine the short name. As you know Hadoop uses short name
> in ACL rules.****
>
> **2.       **We know how to add a principal for user account, but how to
> add a group so that it allows to do ACL via group?****
>
> **3.       **Related to 2, no attribute for Kerberos principal object is
> found that can be used to determine the user’s groups.****
>
> I’m wondering if there’s something wrong in my setup. Any extra LDAP
> schema could be applied to allow all of these?****
>
> I think this case might not be supported but it makes sense in such setup
> to ease the deployment. Of course AD can be used for such consideration,
> but we might face existing deployment that uses MIT Kerberos and OpenLDAP.
> ****
>
> ** **
>
> Thanks for your help. ****
>
> ** **
>
> Regarding,****
>
> Kai****
>
> ** **
>

Re: Could we use the same identity store for user groups mapping in MIT Kerberos + OpenLDAP setup

Posted by Azuryy Yu <az...@gmail.com>.

you can try whosso, which is simple than kerbose.

--Send from my Sony mobile.
On Jun 29, 2013 7:29 AM, "Zheng, Kai" <ka...@intel.com> wrote:

>  Hi all,****
>
> ** **
>
> I have a setup using MIT Kerberos with OpenLDAP as the user database. It’s
> desired to use the same user database that holds all the kinit principal
> accounts for the identity store to be used for groups mapping provider via
> LdapGroupsMappingProvider. However, I found there’re 3 issues:****
>
> **1.       **For Kerberos principal object, there’re no appropriate
> attribute to determine the short name. As you know Hadoop uses short name
> in ACL rules.****
>
> **2.       **We know how to add a principal for user account, but how to
> add a group so that it allows to do ACL via group?****
>
> **3.       **Related to 2, no attribute for Kerberos principal object is
> found that can be used to determine the user’s groups.****
>
> I’m wondering if there’s something wrong in my setup. Any extra LDAP
> schema could be applied to allow all of these?****
>
> I think this case might not be supported but it makes sense in such setup
> to ease the deployment. Of course AD can be used for such consideration,
> but we might face existing deployment that uses MIT Kerberos and OpenLDAP.
> ****
>
> ** **
>
> Thanks for your help. ****
>
> ** **
>
> Regarding,****
>
> Kai****
>
> ** **
>

Re: Could we use the same identity store for user groups mapping in MIT Kerberos + OpenLDAP setup

Posted by Azuryy Yu <az...@gmail.com>.

you can try whosso, which is simple than kerbose.

--Send from my Sony mobile.
On Jun 29, 2013 7:29 AM, "Zheng, Kai" <ka...@intel.com> wrote:

>  Hi all,****
>
> ** **
>
> I have a setup using MIT Kerberos with OpenLDAP as the user database. It’s
> desired to use the same user database that holds all the kinit principal
> accounts for the identity store to be used for groups mapping provider via
> LdapGroupsMappingProvider. However, I found there’re 3 issues:****
>
> **1.       **For Kerberos principal object, there’re no appropriate
> attribute to determine the short name. As you know Hadoop uses short name
> in ACL rules.****
>
> **2.       **We know how to add a principal for user account, but how to
> add a group so that it allows to do ACL via group?****
>
> **3.       **Related to 2, no attribute for Kerberos principal object is
> found that can be used to determine the user’s groups.****
>
> I’m wondering if there’s something wrong in my setup. Any extra LDAP
> schema could be applied to allow all of these?****
>
> I think this case might not be supported but it makes sense in such setup
> to ease the deployment. Of course AD can be used for such consideration,
> but we might face existing deployment that uses MIT Kerberos and OpenLDAP.
> ****
>
> ** **
>
> Thanks for your help. ****
>
> ** **
>
> Regarding,****
>
> Kai****
>
> ** **
>