Proxy Group Configuration on Ambari
Arcadia Enterprise enables you to delegate LDAP sign-in authentication based on group assignment.
By default, Arcadia Enterprise proxy configuration is set to delegate to all users. You can also configure a proxy user to delegate to one or more users. However, if your environment requires a proxy user to delegate to multiple users, it may be cumbersome to specify each user one by one. This feature allows the proxy user to delegate authority to a group of users.
- Available only when Apache Ranger is enabled.
- Available only on Arcadia Engine connections, and when Impersonation is selected under the Advanced tab, in the Create New Data Connection dialog box. See Arcadia Connections.
Configure Proxy Settings on Ambari Interface
- In the Ambari interface, click Services in the top navigation menu.
- Click Arcadia Enterprise on the left navigation bar.
- Click the Configs tab near the top of the interface.
- Click the (right arrow) icon to the left of Advanced arcadia-analytic-engine. Note the details of Arcadia Analytic Engine configuration.
- In the main area of the interface, in the search box, enter the text proxy and start the search.
- In the Proxy Group Configuration field, enter the
username of the proxy user and the group to whom you are allowed to
delegate. In our example, we entered arcadia=Group1,
where proxy user is arcadia and the group to whom
this proxy user is delegating to is Group1.
You can also specify a list of groups, separated by a delimiter. Default delimiter is comma, which can be changed with the
authorized_proxy_user_config_delimitercommand.Command Syntax:<proxy_user>=<group1>,<group_2>,<group_3>; <proxy_user>=<group4>For example:arcadia=Group1,Group2;Group3; admin=Group4 - In the Proxy User Configuration field, delete the
default value arcadia=* as it allows a superuser to
delegate to all users. When you are configuring a proxy group, either leave
this field blank, or specify a single user or multiple users, separated by a
delimiter. Do not specify all users. In our example, we entered,
arcadia=admin.
<proxy_user>=<user1>,<user_2>,<user_3>; <proxy_user>=<*>For example:arcadia=user1,user2,user3; admin=* - Click Save Changes to save the configuration.
-
To restart Arcadia Enterprise service and apply configuration changes, click the orange icon in the Arcadia Enterprise menu bar.
Restarting Arcadia Enterprise Service -
In the Restart Stale Services interface, click Restart Now to restart Arcadia Enterprise service.
Confirming Restart of Arcadia Enterprise Service
After Arcadia Enterprise service successfully restarts, your proxy group configuration is complete.
Example of Proxy Group Configuration on ArcViz
After configuring the proxy group configuration on Cloudera, let us demonstrate the access behavior of one of the users in Group1. In our example, one of our Group1 users is ldapuser1.
- Log into ArcViz with username=ldapuser1 and
Password=arcadia.
To set up authentication for the delegated user in the group, configure username and password through LDAP.
- On the main navigation bar, click Data.
- In the main area, click the Connection Explorer tab.
- Select the default database.
- Select the cabrides dataset from the abbreviated list of datasets.
- A table with sample data appears under the Sample Data
tab at the bottom of the screen. The proxy user arcadia
is allowed to delegate to ldapuser1, therefore the user is able to access
Arcadia services.
Access Arcadia Service - Now let's delete the proxy user and the delegated group,
arcadia=Group1, from the Proxy Group
Configuration field in the Ambari Interface.
As ldapuser1 is part of Group1, after deleting the setting, this user should not be able to access Arcadia services.
Delete Proxy User and the Delegated Group - Logout of Arcadia account.
Logout - Log in as ldapuser1 again, and repeat steps 1 - 5.
- An error message appears, User 'arcadia....is not authorized to
delegate to 'ldapuser1'. The ldapuser1 is unable to
impersonate proxy user arcadia and cannot access Arcadia services.
No Access to the Group User