Thanks Chris, It helped. Sent from my iPhone
> On 24-Jun-2016, at 01:15, Chris Nauroth <cnaur...@hortonworks.com> wrote: > > Hello Aneela, > > If your cluster has enabled Kerberos security, then the HADOOP_USER_NAME > environment variable has no effect. > > It sounds like you want to test a proxy user scenario, in which > authentication is performed as user "hdfs" via Kerberos, but then execution > of the request (including any group membership resolution and authorization > checks) proceeds as user "michael". There is a different environment > variable named HADOOP_PROXY_USER that can be set to achieve this. > > Does that help? > > --Chris Nauroth > > From: Aneela Saleem <ane...@platalytics.com> > Date: Thursday, June 23, 2016 at 12:45 PM > To: "user@hadoop.apache.org" <user@hadoop.apache.org> > Subject: Kerberos Impersonation in Hadoop > > Hi all, > > I'm trying Kerberos Impersonation in Hadoop. But i can't get the clear idea > what the impersonation is? Whether it's effective in doing HADOOP_USER_NAME > from command line or it's something else. It's confusing. I can't understand > it from the documentation. > > Actually what i'm trying to do is to simulate LDAP users on my system when > accessing HDFS. Since i'm using group mapping from LDAP that's working fine > when i run 'hdfs groups' command. I just want to authenticate whether the > user i pass in HADOOP_USER_NAME from command line when accessing HDFS, is > actually impersonating an LDAP user or not? How can i verify it. Let's have a > look on following usecase: > > -I have a service principal i.e., hdfs/platalytics.com@platalyticsrealm > -I initiate the authenticate request using this service principal and got TGT > for this principal > -Now when i run the command with any proxy user whether it exists or not > -HADOOP_USER_NAME=michael hdfs dfs -mkdir /temp it allows to create the temp > directory on behalf of 'hdfs' ( michael is an LDAP user) > > But when i initiate an authenticate request through user principal i.e., > michael/platalytics.com@platalyticsrealm > and run the command hdfs dfs -mkdir /temp it says michael doestn't have > enough permissions. > > How the things are working i can't understand. How can i test LDAP users? I > have not configured PAM for ldap authentication, i want to test it without > PAM. > > I have enabled impersonation with following configuration parameters: > <property> > <name>hadoop.proxyuser.hdfs.groups</name> > <value>Admin,hdfs</value></property><property> > <name>hadoop.proxyuser.hdfs.hosts</name> > <value>platalytics.com</value></property> > Thanks
