Previously, secure impersonation functioned by having a single super group user, the Datameer X service user, in the Hadoop environment impersonate all authenticated users set in Kerberos. Datameer's new secure impersonation method (Native Multi User) validates each individual user separately using the user's own Kerberos keytab.
Table of Contents
Setup Instructions for Secure Impersonation in Native Multi User Mode
First, create a user for your Datameer X installation. This user will be called the Datameer X service user. Unless otherwise stated, perform the next steps as this user.
Preparing Datameer X for startup using the command line
- Unzip Datameer on your Hadoop cluster in a folder of your choice as the Datameer X service user.
- Configure your MySQL database.
- Add the MySQL JDBC driver to
webapps/conductor/WEB-INF/lib/
. (E.g., for MySQL 5.7.19 you can use "mysql-connector-java-5.1.43-bin.jar") - Configure your MySQL database parameters in the
conf/default.properties
file - Use the " bin/create-table.sql " script to initially fill the Datameer X database.
- Start Datameer
...
License
Authentication
- Go to the Admin tab.
- Click Authentication from the menu.
Configure your Active Directory or LDAP (this example focus on Active Directory in the following steps) by clicking Edit .
Note title Important Enter the impersonation attribute. (E.g., userPrincipalName). This is necessary if your users are in different realms. If you don't use it then the configured default realm from your Datameer X servers Kerberos client config is taken to create the principal for the Kerberos Keytab file.
- Save the authentication configuration.
Don't log out! If you log out you will not be able to login again as the current admin user. Only the superuser functionality of DM will be able to log you in again. - Wait until the authentication cache has refreshed.
- Click Users from the menu. Select the groups and users that should be able to authenticate.
- Define a new admin user. The current user is no longer valid after logout.
...
- Click on Hadoop cluster from the menu and click Edit.
- From the Cluster Mode settings, select Multi User Kerberos Secured Hadoop Cluster.
- Enter your name node.
- Enter the private folder path for Datameer.
- Select the Enable Impersonation checkbox.
- Enter your Cluster Settings depending on your Hadoop cluster.
- Enter under Kerberos Settings:
- the principal for the Datameer X service user. (E.g., <name>@<realm> )
- the path to the Datameer X service users Keytab file.
- the yarn principal. (E.g., yarn/_HOST@<realm>)
- the HDFS principal. (E.g., hdfs/_HOST@<realm>)
- the mapred principal. (E.g., mapred/_HOST@<realm>)
- Enter any necessary Hadoop properties for the cluster.
- Enter under Automatic Keytab Management Settings:
- the full path to ktutil. (E.g., /usr/bin/ktutil)
- the path to the folder where Datameer X should store the generated Keytab files. The folder needs to have the user "Datameer" as the owner and the permission 700. There is already a Keytab folder in the default installation of Datameer. (E.g., <path to your Datameer X installation>/etc/keytabs)
- Don't set the Kerberos Realm if you already set the impersonation attribute in the Active Directory configuration . If you don't set the Kerberos Realm and you don't have the impersonation attribute set in the Active Directory configuration, the default realm from the Datameer X server Kerberos client configuration will be taken.
- Enter the password encryption algorithms necessary for your Kerberos installation. (E.g., aes256-cts-hmac-sha1-96, aes256-cts, arcfour-hmac)
- logout and restart Datameer
...
Anchor | ||||
---|---|---|---|---|
|
...
Info | ||
---|---|---|
| ||
When using secure impersonation on Datameer X |
...
in Native Multi User mode, the Datameer |
...
Change of ownership process:
- The original folder (e.g., /path/to/dm_home_folder/workbooks/<wbk_config_id>) is copied by the new owner. (The user changing ownership must be an admin and the new owner requires view access to the original data.)
- The copy is appended with the new owners username (e.g., /path/to/dm_home_folder/workbooks/<wbk_config_id>_userName)
- New data is written to the new folder in HDFS.
- The original folder is submitted to Housekeeping and deletes the old data.
Limitations of changing owners:
...
Service User is not a part of the Hadoop superuser group and therefore loses the privilege to change an artifact's ownership. Datameer stores data in the HDFS, and whenever you want to change the artifact's owner, the ownership of the associated files in the HDFS have to be changed as well. Changing the ownership is only possible when there are no data objects ('actual data' and 'job history') associated with this artifact in the HDFS. Note that changing the ownership via the Set Permission option (bulk amendment) is a bug, as it does not change HDFS objects. |
To change the ownership anyway:
Note: This is not an option for artifacts whose original data sources are not available anymore.
- Change to the artifacts detail page.
- Switch to the 'Current Data' section, click on the delete icon from the 'Operations' column and delete the actual data.
- Switch to the 'History' section and click on the delete icon from the 'Operations' column and delete the job history.
- Switch to the File Browser and click on the artifact.
- From the File Browser Inspector, navigate to the section 'Owner' and change the artifacts owner to your needs.
- Rerun the artifact to regenerate the data under the new ownership.