Previously, secure impersonation functioned by having a single super group user, the Datameer X service user, in the Hadoop environment impersonate all authenticated users set in Kerberos. Datameer's new secure impersonation method (Native Multi User) validates each individual user separately using the user's own Kerberos keytab.
First, create a user for your Datameer X installation. This user will be called the Datameer X service user. Unless otherwise stated, perform the next steps as this user.
webapps/conductor/WEB-INF/lib/
. (E.g., for MySQL 5.7.19 you can use "mysql-connector-java-5.1.43-bin.jar")
conf/default.properties
fileConfigure your Active Directory or LDAP (this example focus on Active Directory in the following steps) by clicking Edit .
Enter the impersonation attribute. (E.g., userPrincipalName). This is necessary if your users are in different realms. If you don't use it then the configured default realm from your Datameer X servers Kerberos client config is taken to create the principal for the Kerberos Keytab file. |
Hadoop cluster
Private folder permissions are automatically set up during the installation process of the secured Hadoop Distributed Filesystem. The information below is a detailed description if these settings need to be applied to other tools, such as Apache Ranger.
<datameer private folder>
to r-x.
<datameer private folder>
sub folders to rwx. Datameer X restricts its folder to the following permissions:
folder | owner | group | user | group | others |
---|---|---|---|---|---|
datameer private folder | datameer service user | datameer service user group | rwx | --- | --x |
datameer private folder 1st level siblings | datameer service user | datameer service user group | rwx | --- | -wx |
individual job folders | job owner | default group or grouped shared with | rwx | no group sharing → --- group allowed to edit → -wx group allowed to view → r-x | no others sharing → --- others allowed to edit → -wx others allowed to view → r-x |
job execution folder | job owner | default group or grouped shared with | rwx | no group sharing → --- group allowed to edit → --x group allowed to view → r-x | no others sharing → --- others allowed to edit → --x others allowed to view → r-x |
When using secure impersonation on Datameer X in Native Multi User mode, the Datameer Service User is not a part of the Hadoop superuser group and therefore loses the privilege to change an artifact's ownership. Datameer stores data in the HDFS, and whenever you want to change the artifact's owner, the ownership of the associated files in the HDFS have to be changed as well. Changing the ownership is only possible when there are no data objects ('actual data' and 'job history') associated with this artifact in the HDFS. Note that changing the ownership via the Set Permission option (bulk amendment) is a bug, as it does not change HDFS objects. |
To change the ownership anyway:
Note: This is not an option for artifacts whose original data sources are not available anymore.