Set Up Hadoop Group Mapping for LDAP/AD
To ensure that LDAP/AD group level authorization is enforced in Hadoop, you should set up Hadoop group mapping for LDAP/AD.
You must have access to LDAP and the connection details. Note that LDAP settings can
         vary depending on what LDAP implementation you are using
      - Using SSSD (Recommended)
- Manually create users and groups in the Linux environment
- In core-site.xml
- 
            Using SSSD (Recommended)
            The recommended method for group mapping is to use SSSD or one of the following services to connect the Linux OS with LDAP:- 
                     Centrify 
- 
                     NSLCD 
- 
                     Winbind 
- 
                     SAMBA 
 
- 
                     
- Manually create users and groups in the Linux environment: Manually create users and groups (see link below) in your Linux environment.
- 
            In core-site.xml, configure Hadoop to use LDAP-based group mapping:
            - 
                  Add the properties shown in the example below to the
                        core-site.xmlfile.You will need to provide the value for the bind user, the bind password, and other properties specific to you LDAP instance, and make sure that object class, user, and group filters match the values specified in your LDAP instance.<property> <name>hadoop.security.group.mapping</name> <value>org.apache.hadoop.security.LdapGroupsMapping</value> </property> <property> <name>hadoop.security.group.mapping.ldap.bind.user</name> <value>cn=Manager,dc=hadoop,dc=apache,dc=org</value> </property> <!– <property> <name>hadoop.security.group.mapping.ldap.bind.password.file</name> <value>/etc/hadoop/conf/ldap-conn-pass.txt</value> </property> –> <property> <name>hadoop.security.group.mapping.ldap.bind.password</name> <value>hadoop</value> </property> <property> <name>hadoop.security.group.mapping.ldap.url</name> <value>ldap://localhost:389/</value> </property> <property> <name>hadoop.security.group.mapping.ldap.base</name> <value></value> </property> <property> <name>hadoop.security.group.mapping.ldap.search.filter.user</name> <value>(&(|(objectclass=person)(objectclass=applicationProcess))(cn={0}))</value> </property> <property> <name>hadoop.security.group.mapping.ldap.search.filter.group</name> <value>(objectclass=groupOfNames)</value> </property> <property> <name>hadoop.security.group.mapping.ldap.search.attr.member</name> <value>member</value> </property> <property> <name>hadoop.security.group.mapping.ldap.search.attr.group.name</name> <value>cn</value> </property>
- 
                  Depending on your configuration, you may be able to refresh user and group
                     mappings using the following HDFS and YARN commands:
                  hdfs dfsadmin -refreshUserToGroupsMappings yarn rmadmin -refreshUserToGroupsMappings
- 
                  Verify LDAP group mapping by running the hdfs groupscommand. This command will fetch groups from LDAP for the current user. Note that with LDAP group mapping configured, the HDFS permissions can leverage groups defined in LDAP for access control.
 
- 
                  Add the properties shown in the example below to the
                        

