This is the documentation for Cloudera 5.2.x.
Documentation for other versions is available at Cloudera Documentation.

Configuring LDAP Group Mappings

When configuring LDAP for group mappings in Hadoop, you must create the users and groups for your Hadoop services in LDAP. When using the default shell-based group mapping provider (org.apache.hadoop.security.ShellBasedUnixGroupsMapping), the requisite user and group relationships already exist because they are created during the installation procedure. When you switch to LDAP as the group mapping provider, you must re-create these relationships within LDAP.

  Note: If you have modified the System User or System Group setting within Cloudera Manager for any service, you must use those custom values to provision the users and groups in LDAP.
The table below lists users and their group members for CDH services:
Table 1. Users & Groups

Service

Unix User ID

Group

Flume flume flume
HBase hbase hbase
HDFS hdfs hdfs, hadoop
Hive hive hive
HCatalog hive hive
HttpFS httpfs httpfs
Hue hue hue
Cloudera Impala impala impala, hdfs, hive
Llama llama llama
MapReduce mapred mapred, hadoop
Oozie oozie oozie
Cloudera Search solr solr
Spark spark spark
Sentry sentry sentry
Sqoop sqoop sqoop
Sqoop2 sqoop2 sqoop, sqoop2
YARN yarn yarn, hadoop
ZooKeeper zookeeper zookeeper
  Important:
  • You can use either Cloudera Manager or the following command-line instructions to complete this configuration.
  • This information applies specifically to CDH 5.2.x. If you use an earlier version of CDH, see the documentation for that version located at Cloudera Documentation.

Using Cloudera Manager

Required Role:

Make the following changes to the HDFS service's security configuration:
  1. Open the Cloudera Manager Admin Console and navigate to the HDFS service.
  2. Click the Configuration tab.
  3. Modify the following configuration properties under the Service-Wide > Security section. The table below lists the properties and the value to be set for each property.
    Configuration Property Value
    Hadoop User Group Mapping Implementation org.apache.hadoop.security.LdapGroupsMapping
    Hadoop User Group Mapping LDAP URL ldap://<server>
    Hadoop User Group Mapping LDAP Bind User Administrator@example.com
    Hadoop User Group Mapping LDAP Bind User Password ***
    Hadoop User Group Mapping Search Base dc=example,dc=com
Although the above changes are sufficient to configure group mappings for Active Directory, some changes to the remaining default configurations might be required for OpenLDAP.

Using the Command Line

Add the following properties to the core-site.xml on the NameNode:
<property>    
<name>hadoop.security.group.mapping</name>
<value>org.apache.hadoop.security.LdapGroupsMapping</value>  
</property>  

<property>
<name>hadoop.security.group.mapping.ldap.url</name>
<value>ldap://server</value>  
</property>  

<property>
<name>hadoop.security.group.mapping.ldap.bind.user</name>
<value>Administrator@example.com</value>
</property>  

<property>
<name>hadoop.security.group.mapping.ldap.bind.password</name>    
<value>****</value>
</property>  

<property>
<name>hadoop.security.group.mapping.ldap.base</name>
<value>dc=example,dc=com</value>  
</property>  

<property>
<name>hadoop.security.group.mapping.ldap.search.filter.user</name>
<value>(&amp;(objectClass=user)(sAMAccountName={0}))</value>  
</property>  

<property>
<name>hadoop.security.group.mapping.ldap.search.filter.group</name>  
<value>(objectClass=group)</value>  
</property>  

<property>
<name>hadoop.security.group.mapping.ldap.search.attr.member</name>    
<value>member</value>
</property>  

<property>
<name>hadoop.security.group.mapping.ldap.search.attr.group.name</name>    
<value>cn</value>
</property>
  Note: In addition:
  • If you are using Sentry with Hive, you will also need to add these properties on the HiveServer2 node.
  • If you are using Sentry with Impala, add these properties on all hosts
See Users and Groups in Sentry for more information.