Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Prerequisites and Preparation

Before getting started with preparation, ensure that the Datameer X application is configured with the appropriate authenticator to ensure that only valid HDFS users and groups exist in Datameer.

...

A key consideration for enabling the impersonation feature is that all users and groups available in Datameer X must map directly to the HDFS user/group community. This is typically done by configuring Datameer X to use an LDAP authenticator and employing group filtering to ensure that only valid HDFS groups are available within Datameer. See details on configuring the Datameer X LDAP Authenticator.

Info
titleSet up Authenticator First

For the best results, you should first configure the remote authenticator and then the import users to insure that the group filters are working properly. 

...

At this point, the Datameer X installation should be configured to run in secure cluster mode. Please ensure that secure grid mode is configured and working before continuing. 

Warning

Don't enable secure impersonation, yet!

HDFS group setup

It is recommended to create an HDFS group containing all Datameer X users for a few reasons:

  1. To avoid having to configure any directories to world writable.
  2. To tightly control which users that the Datameer X user can proxy.

This Datameer X users group can be excluded from Datameer's LDAP authenticator if you don't want to expose it to end users.

Anchor
supergroupuser
supergroupuser
Configuring Datameer X as a super user and specifying allowed proxy users

Because secure impersonation in Datameer X is based on native Hadoop instruments, the OS user which runs the Datameer X application must be configured as both an HDFS superuser (member of the hdfs.supergroup) and allowed to proxy Datameer X users from the Datameer X machine. 

Add a Datameer X user to the HDFS supergroup

The HDFS supergroup is configured by default as {{supergroup}}, but is configured in hdfs-site.xml by the setting:

...

Once you have determined the supergroup, add the Datameer X user to this group through your normal OS user management tools.

...

For example, assuming the Datameer X user is datameer and that a group exists called dasusers which contains all Datameer X users, the groups setting are as follows:

...

Next, assuming that the Datameer X application is running on datameer.example.com then hosts are configured as:

...

If you are using a Kerberos-secured cluster with secure impersonation and HDFS transparent encryption, you also need to configure the proxy user for KMS.

Preparing the Datameer X application

Before finally enabling secure impersonation, you must prepare the Datameer X application and HDFS by following the instructions here. When that task is complete, you can continue with enabling the feature.

...

After enabling secure impersonation, there is a message about cluster validation. In order to ensure best operation, Datameer X can run a validation job to ensure that the cluster adheres to certain configuration guidelines. To run the set of assertions associated with secure impersonation, click Run Tests.

...

Depending on your naming conventions for Kerberos principal names you might need to override the 'hadoop.security.auth_to_local' property. In fact, you might have already overridden this on the cluster. Datameer X needs the rules from this property in the custom properties section of the cluster configuration. The custom property section doesn't support property values across multiple lines, so the rules should be separated by a single space. As an example, the following can be useful when not all of the principals are from the default domain:  

No Format
hadoop.security.auth_to_local=RULE:[1:$1](.*) RULE:[2:$1](.*) DEFAULT

...

If you need to see how your AD/LDAP user names are submitted to the cluster after the rules are applied when secure impersonation is implemented you can add additional logging.

Expected impersonation behaviors

Refer to the following table to understand how secure impersonation affects the ownership of import jobs, file uploads, data links, workbooks, and export jobs. Note that the group permissions apply to the artifact, not the folders the artifacts are in.

ScenarioOwner in HDFSGroup in HDFSPermissions for Owner in HDFSPermissions for Group in HDFS

Owner of YARN application

(when job is triggered manually)

Owner of YARN application

(when job is triggered by schedule)

Preview data accessed
Creating an artifactCreatorGroup selected, if none selected, the default Datameer X groupRead and writeOnly readn/an/an/a
Running a jobCreatorn/aRead and writeOnly readCreatorCreatorLogged in user
Previewing dataCreatorGroup selected, if none selected, the default Datameer X groupRead and writeOnly readCreatorCreatorLogged in user
Saving edited artifact (not as creator)CreatorGroup selected, if none selected, the default Datameer X groupRead and writeOnly readCreatorCreatorLogged in user
Updating permissionsCreatorNewly selected groupRead and writeNewly selected group and read permission onlyCreatorCreatorLogged in user