From 5fc26516f161fa489136b97de809d3dc0944faba Mon Sep 17 00:00:00 2001 From: futureltl Date: Wed, 21 Aug 2024 14:34:15 +0800 Subject: [PATCH] [KYUUBI #6628] [DOCS] Improve docs for GROUP Share Level MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit # :mag: Description ## Issue References ๐Ÿ”— This pull request fixes #3897 ## Describe Your Solution ๐Ÿ”ง enrich the description for GROUP Share Level. ## Types of changes :bookmark: - [ ] Bugfix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to change) ## Test Plan ๐Ÿงช #### Behavior Without This Pull Request :coffin: #### Behavior With This Pull Request :tada: #### Related Unit Tests --- # Checklist ๐Ÿ“ - [ ] This patch was not authored or co-authored using [Generative Tooling](https://www.apache.org/legal/generative-tooling.html) **Be nice. Be informative.** Closes #6628 from futureltl/master. Closes #6628 ba18bfce4 [futureltl] Improve docs for GROUP Share Level 3b19521e1 [futureltl] Improve docs for GROUP Share Level da7d9b61e [Cheng Pan] Update docs/deployment/engine_share_level.md 674066a08 [Cheng Pan] Update docs/deployment/engine_share_level.md c3a373370 [Cheng Pan] Update docs/deployment/engine_share_level.md 7389cedd2 [futureltl] Improve docs for GROUP Share Level Lead-authored-by: futureltl Co-authored-by: Cheng Pan Signed-off-by: Cheng Pan --- docs/deployment/engine_share_level.md | 53 +++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/docs/deployment/engine_share_level.md b/docs/deployment/engine_share_level.md index 4a7b680cb..7a11260bd 100644 --- a/docs/deployment/engine_share_level.md +++ b/docs/deployment/engine_share_level.md @@ -108,6 +108,59 @@ It follows the [Hadoop GroupsMapping](https://hadoop.apache.org/docs/current/had The mechanisms of `SparkContext`, `SparkSession` and TTL works similarly to USER share level. +Here is an example to configure `HadoopGroupProvider` to use LDAP-based group mapping. +1. Add the properties shown in the example below to the `core-site.xml` file. You will need to provide the value for the bind user, the bind password, and other properties specific to your LDAP instance, and make sure that object class, user, and group filters match the values specified in your LDAP instance. + +```xml +hadoop.security.group.mapping + org.apache.hadoop.security.LdapGroupsMapping + + + + hadoop.security.group.mapping.ldap.url + ldap://localhost:389 + + + + hadoop.security.group.mapping.ldap.base + dc=example,dc=com + + + + hadoop.security.group.mapping.ldap.bind.user + cn=Manager,dc=example,dc=com + + + + hadoop.security.group.mapping.ldap.bind.password + example + + + + hadoop.security.group.mapping.ldap.search.filter.user + (&(objectClass=posixAccount)(cn={0})) + + + + hadoop.security.group.mapping.ldap.search.filter.group + (objectClass=posixGroup) + + + + hadoop.security.group.mapping.ldap.search.attr.member + memberuid + + + + hadoop.security.group.mapping.ldap.search.attr.group.name + cn + +``` + +2. Use the applicable instructions to re-start the HDFS NameNode and the YARN ResourceManager. +3. Verify LDAP group mapping by running the `hdfs groups` command. This command will fetch groups from LDAP for the current user. Note that with LDAP group mapping configured, the HDFS permissions can leverage groups defined in LDAP for access control. + **Tips for authorization in GROUP share level**: The session user and the primary group name(as sparkUser/execute user) will be both accessible at engine-side.