| Table of Contents |
|---|
Prerequisites and Preparation
Before getting started with preparation, ensure that the Datameer X application is configured with the appropriate authenticator to ensure that only valid HDFS users and groups exist in Datameer.
...
A key consideration for enabling the impersonation feature is that all users and groups available in Datameer X must map directly to the HDFS user/group community. This is typically done by configuring Datameer X to use an LDAP authenticator and employing group filtering to ensure that only valid HDFS groups are available within Datameer. See details on configuring the Datameer X LDAP Authenticator.
| Info | ||
|---|---|---|
| ||
For the best results, you should first configure the remote authenticator and then the import users to insure that the group filters are working properly. |
...
At this point, the Datameer X installation should be configured to run in secure cluster mode. Please ensure that secure grid mode is configured and working before continuing.
| Warning |
|---|
Don't enable secure impersonation, yet! |
HDFS group setup
It is recommended to create an HDFS group containing all Datameer X users for a few reasons:
- To avoid having to configure any directories to world writable.
- To tightly control which users that the Datameer X user can proxy.
This Datameer X users group can be excluded from Datameer's LDAP authenticator if you don't want to expose it to end users.
| Anchor | ||||
|---|---|---|---|---|
|
Because secure impersonation in Datameer X is based on native Hadoop instruments, the OS user which runs the Datameer X application must be configured as both an HDFS superuser (member of the hdfs.supergroup) and allowed to proxy Datameer X users from the Datameer X machine.
Add a Datameer X user to the HDFS supergroup
The HDFS supergroup is configured by default as {{supergroup}}, but is configured in hdfs-site.xml by the setting:
...
Once you have determined the supergroup, add the Datameer X user to this group through your normal OS user management tools.
...
For example, assuming the Datameer X user is datameer and that a group exists called dasusers which contains all Datameer X users, the groups setting are as follows:
...
Next, assuming that the Datameer X application is running on datameer.example.com then hosts are configured as:
...
If you are using a Kerberos-secured cluster with secure impersonation and HDFS transparent encryption, you also need to configure the proxy user for KMS.
Preparing the Datameer X application
Before finally enabling secure impersonation, you must prepare the Datameer X application and HDFS by following the instructions here. When that task is complete, you can continue with enabling the feature.
...
After enabling secure impersonation, there is a message about cluster validation. In order to ensure best operation, Datameer X can run a validation job to ensure that the cluster adheres to certain configuration guidelines. To run the set of assertions associated with secure impersonation, click Run Tests.
...
Depending on your naming conventions for Kerberos principal names you might need to override the 'hadoop.security.auth_to_local' property. In fact, you might have already overridden this on the cluster. Datameer X needs the rules from this property in the custom properties section of the cluster configuration. The custom property section doesn't support property values across multiple lines, so the rules should be separated by a single space. As an example, the following can be useful when not all of the principals are from the default domain:
| No Format |
|---|
hadoop.security.auth_to_local=RULE:[1:$1](.*) RULE:[2:$1](.*) DEFAULT |
...
If you need to see how your AD/LDAP user names are submitted to the cluster after the rules are applied when secure impersonation is implemented you can add additional logging.
Expected impersonation behaviors
Refer to the following table to understand how secure impersonation affects the ownership of import jobs, file uploads, data links, workbooks, and export jobs. Note that the group permissions apply to the artifact, not the folders the artifacts are in.
| Scenario | Owner in HDFS | Group in HDFS | Permissions for Owner in HDFS | Permissions for Group in HDFS | Owner of YARN application (when job is triggered manually) | Owner of YARN application (when job is triggered by schedule) | Preview data accessed |
|---|---|---|---|---|---|---|---|
| Creating an artifact | Creator | Group selected, if none selected, the default Datameer X group | Read and write | Only read | n/a | n/a | n/a |
| Running a job | Creator | n/a | Read and write | Only read | Creator | Creator | Logged in user |
| Previewing data | Creator | Group selected, if none selected, the default Datameer X group | Read and write | Only read | Creator | Creator | Logged in user |
| Saving edited artifact (not as creator) | Creator | Group selected, if none selected, the default Datameer X group | Read and write | Only read | Creator | Creator | Logged in user |
| Updating permissions | Creator | Newly selected group | Read and write | Newly selected group and read permission only | Creator | Creator | Logged in user |