Closed hadoopch closed 6 months ago
Are you setting auth_provider
in your definition? The task that executes the CM external auth setup (https://github.com/cloudera-labs/cloudera.cluster/blob/main/roles/cloudera_manager/external_auth/tasks/main.yml#L31-L37) only runs if that variable is set. The configs are then marshaled via this Jinja template: https://github.com/cloudera-labs/cloudera.cluster/blob/main/roles/cloudera_manager/external_auth/templates/external_auth_configs.j2
Hi wmduge,
My settings are
cloudera_manager_options:
krb_auth_enable: true
auth_backend_order: "DB_THEN_LDAP"
authorization_backend_order: "EXTERNAL_AND_DB"
ldap_type: PAM
proxyuser_knox_groups: "*"
proxyuser_knox_hosts: "*"
proxyuser_knox_users: "*"
REFERER_CHECK: false
frontend_url: "https://{{haproxy_gw.domain}}:37180"
But the playbooks configure LDAP settings if is use the above mentioned configuration.
I just want to use PAM for cloudera manager - that means cloudera manager is using the users and groups from the OS.
I like this configuration because the underlying OS normally has already its own AD / LDAP configuration via SSSD .
Then for CM and you don't need to configure all this stuff again. This makes configuration very simple.
But for any reason it is not working. If i check the configuration history, you can see that the values were set at the beginning. But then frontend_url is deleted and PAM is replaced by LDAP and some LDAP settings are made.
Regards
Uli
Try the following in your definition.yml
:
cloudera_manager_options:
KRB_AUTH_ENABLE: "true"
REFERER_CHECK: "false"
frontend_url: "https://proxy.your.domain"
auth_providers:
PAM:
type: PAM
cloudera_manager_external_auth:
provider: PAM
@wmudge: Thanks a lot. I have a more or less working config now.
i finally set :
cloudera_manager_options:
KRB_AUTH_ENABLE: true
AUTH_BACKEND_ORDER: "DB_THEN_LDAP"
proxyuser_knox_groups: "*"
proxyuser_knox_users: "*"
proxyuser_knox_hosts: "*"
REFERER_CHECK: false
CDPPC_REPO_URLS: "https://cdpsoft2.obs.{{ep_suffix}}/parcels/DS/1.5.2-h1"
REMOTE_PARCEL_REPO_URLS: "https://cdpsoft2.obs.{{ep_suffix}}/parcels/DS/1.5.2-h1/parcels/"
SESSION_TIMEOUT: 3600
frontend_url: "https://{{haproxy_gw.domain}}:37180"
auth_providers:
PAM:
type: PAM
cloudera_manager_external_auth:
provider: PAM
external_only: no
external_first: no
external_only and external_first are required otherwise you run into an error.
With the config: referer_check ist still ignored.
With this config: the following parameter are unintentionally set:
"name": "ldap_group_search_filter",
"value": "(member={0})"
"name": "ldap_user_search_filter",
"value": "(sAMAccountName={0})"
Hi,
i set various cloudera_manager_options:
frontend-URL was not set. ldap_type PAM wqas ignored. Instead of that ldap_type LDAP was used. . Referer_check was also ignored and false is set. In a fromer release at least ldap_type and frontend_url were working