There are few things: In Kerberos/secure mode, users needs to be materialized on each node. If you are using AD/LDAP, then you can use SSSD (or equivalent), else you need to create the users explicitly on each node using ansible or puppet or manually… The group mapping can be via LDAP or by groups from unix (SSSD will also do this you). FYI, LdapGroupsMapping is not recommended due to performance reasons. FYI, if you are using SSSD, it will get the groups from LDAP/AD In Kerberos/secure mode, you need to materialize users on each node regardless whether you are accessing S3 or HDFS. This is a YARN requirement. So the that the YARN job process will run as the end user. The users and groups in Ranger are just for convenience to create policy. Having it or not in Ranger, doesn’t affect the service. However, you will not be able to create the policies in Ranger. During testing or PoC, if you don’t want to sync, you can manually add to Ranger to using Ranger Admin UI
Bosco From: Odon Copon <odonco...@gmail.com> Reply-To: <user@ranger.apache.org> Date: Monday, March 25, 2019 at 8:36 AM To: <user@ranger.apache.org> Subject: Ranger + Hive Hi, On my last test using HDFS + Ranger I had to sync my LDAP groups with Hadoop based on the following link: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/setting_up_hadoop_group_mappping_for_ldap_ad.html That means users and groups had to be in Ranger and Hadoop cluster to make policies to work. But what about Hive + Ranger? Is that mapping also required? do I need users also to be mapped in Hadoop cluster? what if tables are in S3 instead of HDFS per example? Thanks.
