Proxy Group Configuration on Ambari

Arcadia Enterprise enables you to delegate LDAP sign-in authentication based on group assignment.

By default, Arcadia Enterprise proxy configuration is set to delegate to all users. You can also configure a proxy user to delegate to one or more users. However, if your environment requires a proxy user to delegate to multiple users, it may be cumbersome to specify each user one by one. This feature allows the proxy user to delegate authority to a group of users.

Availability Notes:
  • Available only when Apache Ranger is enabled.
  • Available only on Arcadia Engine connections, and when Impersonation is selected under the Advanced tab, in the Create New Data Connection dialog box. See Arcadia Connections.

Configure Proxy Settings on Ambari Interface

After Installing Arcadia Enterprise Using Ambari Stacks, perform the following steps on the Ambari interface, for proxy group configuration:
  1. In the Ambari interface, click Services in the top navigation menu.
  2. Click Arcadia Enterprise on the left navigation bar.
  3. Click the Configs tab near the top of the interface.
  4. Click the (right arrow) icon to the left of Advanced arcadia-analytic-engine. Note the details of Arcadia Analytic Engine configuration.
  5. In the main area of the interface, in the search box, enter the text proxy and start the search.
  6. In the Proxy Group Configuration field, enter the username of the proxy user and the group to whom you are allowed to delegate. In our example, we entered arcadia=Group1, where proxy user is arcadia and the group to whom this proxy user is delegating to is Group1.

    You can also specify a list of groups, separated by a delimiter. Default delimiter is comma, which can be changed with the authorized_proxy_user_config_delimiter command.

    Command Syntax:
    <proxy_user>=<group1>,<group_2>,<group_3>; <proxy_user>=<group4>
    For example:
    arcadia=Group1,Group2;Group3; admin=Group4
  7. In the Proxy User Configuration field, delete the default value arcadia=* as it allows a superuser to delegate to all users. When you are configuring a proxy group, either leave this field blank, or specify a single user or multiple users, separated by a delimiter. Do not specify all users. In our example, we entered, arcadia=admin.
    <proxy_user>=<user1>,<user_2>,<user_3>; <proxy_user>=<*>
    For example:
    arcadia=user1,user2,user3; admin=*
  8. Click Save Changes to save the configuration.
Specifying a proxy user and a group
Proxy Group Configuration
  1. To restart Arcadia Enterprise service and apply configuration changes, click the orange icon in the Arcadia Enterprise menu bar.

    clicking to restart Arcadia Enterprise service
    Restarting Arcadia Enterprise Service
  2. In the Restart Stale Services interface, click Restart Now to restart Arcadia Enterprise service.

    confirming restart of Arcadia Enterprise service
    Confirming Restart of Arcadia Enterprise Service

After Arcadia Enterprise service successfully restarts, your proxy group configuration is complete.

Example of Proxy Group Configuration on ArcViz

After configuring the proxy group configuration on Cloudera, let us demonstrate the access behavior of one of the users in Group1. In our example, one of our Group1 users is ldapuser1.

  1. Log into ArcViz with username=ldapuser1 and Password=arcadia.

    To set up authentication for the delegated user in the group, configure username and password through LDAP.

  2. On the main navigation bar, click Data.
  3. In the main area, click the Connection Explorer tab.
  4. Select the default database.
  5. Select the cabrides dataset from the abbreviated list of datasets.
  6. A table with sample data appears under the Sample Data tab at the bottom of the screen. The proxy user arcadia is allowed to delegate to ldapuser1, therefore the user is able to access Arcadia services.
    Accessing Arcadia service
    Access Arcadia Service
  7. Now let's delete the proxy user and the delegated group, arcadia=Group1, from the Proxy Group Configuration field in the Ambari Interface.

    As ldapuser1 is part of Group1, after deleting the setting, this user should not be able to access Arcadia services.

    Deleting arcadia=Group1 from the Proxy Group Configuration' field.
    Delete Proxy User and the Delegated Group
  8. Logout of Arcadia account.
    'labuser1' logging out
    Logout
  9. Log in as ldapuser1 again, and repeat steps 1 - 5.
  10. An error message appears, User 'arcadia....is not authorized to delegate to 'ldapuser1'. The ldapuser1 is unable to impersonate proxy user arcadia and cannot access Arcadia services.
    Displaying an error message
    No Access to the Group User