After you register a CDH or CDP cluster in DataWorks, map each workspace member's Alibaba Cloud account to a cluster identity account. DataWorks then runs CDH tasks under the mapped account, enabling per-user data permission isolation across workspace members.
The configuration steps are the same for CDH and CDP clusters. This topic uses a CDH cluster as an example.
Mapping types
When you register a CDH cluster, you configure the Default Access Identity parameter to determine which account runs CDH tasks. For details, see Configure the default access identity for the cluster.
The following table describes the two account types available for Default Access Identity and the mapping types each supports.
| Account type | Behavior | Supported mapping types |
|---|---|---|
| Cluster account | A fixed cluster account runs all CDH tasks, regardless of which DataWorks user submits them. | No Authentication (default) |
| Mapping account | The CDH system account, Kerberos account, or OPEN LDAP account mapped to the submitting user's Alibaba Cloud account runs the task. After registering the cluster, go to the cluster account mapping configuration page to set up the mappings. | System Account Mapping, OPEN LDAP Account Mapping, Kerberos Account Mapping |
If Default Access Identity is set to a mapping account and Mapping Type is set to No Authentication, CDH tasks fail because no access identity is available. A CDH task also fails if no cluster account is mapped to the Alibaba Cloud account that submits it.
Which mapping type should I use?
| Mapping type | Use when |
|---|---|
| No Authentication | All tasks run under one shared cluster account regardless of who submits them. Per-user permission isolation is not required. |
| System Account Mapping | Per-user data access isolation is needed — each Alibaba Cloud account maps to a specific Cloudera Manager admin account or Hadoop account in the CDH cluster. |
| OPEN LDAP Account Mapping | The CDH cluster uses OPEN LDAP authentication. LDAP authentication requires users to provide credentials when accessing the cluster, improving security. |
| Kerberos Account Mapping | The CDH cluster uses Kerberos authentication, or Kerberos is enabled for Hive Metastore. This mapping type is required when Hive Metastore uses Kerberos; without it, metadata retrieval is affected. |
Prerequisites
Before you begin, ensure that you have:
-
Created the CDH cluster accounts you want to map
-
Enabled the Kerberos service on the cluster (required for Kerberos account mapping)
-
Enabled the OPEN LDAP service on the cluster (required for OPEN LDAP account mapping)
-
Attached a CDH computing resource to a DataWorks workspace
Step 1: Go to the cluster account mapping configuration page
-
Log on to the DataWorks console. Switch to the target region, then in the left navigation pane, click More > Management Center. Select the workspace from the drop-down list and click Go To Management Center.
-
In the left navigation pane, click Computing Resources.
-
Find the target CDH cluster, then click Account Mapping > Edit Account Mapping under the cluster name.
Step 2: Set up cluster account mapping
-
Select a mapping type: No Authentication, System Account Mapping, OPEN LDAP Account Mapping, or Kerberos Account Mapping.
-
Configure the account mapping based on the selected type.
No Authentication
No mapping configuration is required. The platform runs tasks using the cluster account configured in the cluster's basic information when the CDH or CDP cluster was registered.
System Account Mapping
Map each Alibaba Cloud account (Alibaba Cloud account or RAM user) to a CDH system account, such as a Cloudera Manager admin account or a Hadoop account. Tasks submitted by the Alibaba Cloud account run under the mapped system account.
Add the account information as instructed on the page:
-
Alibaba Cloud account: Select the Alibaba Cloud account and configure the mapped cluster system account.
-
RAM user: Select the RAM user and configure the mapped cluster system account. Two mapping options are available:
-
Same-name mapping (default): Maps the RAM user to a cluster system account with the same name as the username portion of the RAM user ID. For example, the RAM user
ram_user_1@xxx.onaliyun.commaps to the cluster system accountram_user_1— the part before the@symbol. CDH tasks submitted byram_user_1@xxx.onaliyun.comrun underram_user_1. Make sure the account exists in the CDH cluster — go to CDH Cluster Management > User Management to verify or create it. -
Different-name mapping: Maps the RAM user to a cluster system account with a different name. Configure the mapping as instructed on the page.
-
Kerberos Account Mapping
Map each Alibaba Cloud account (Alibaba Cloud account or RAM user) to a CDH Kerberos account. Kerberos accounts use the format
instance-name@realm-name, for example,cdn_test@HADOOP.COM.Kerberos authentication requires two files:
-
krb5.conf: Stores the Key Distribution Center (KDC) server configuration.
-
keytab file: Stores the identity verification credentials for the resource entity. Name the file in the format
kerberos-account.keytab.
Add the account information and upload the required files as instructed on the page.
Note-
Kerberos account mapping is required if Kerberos authentication is enabled for Hive Metastore on the CDH cluster. Without it, metadata retrieval is affected.
-
If you use the Presto component with Kerberos account mapping, configure the
Config.PropertiesandPresto.Jksfiles in the cluster's basic information. -
Make sure the Kerberos service is enabled for the cluster.
OPEN LDAP Account Mapping
Map each Alibaba Cloud account (Alibaba Cloud account or RAM user) to a CDH OPEN LDAP account. Add the account information as instructed on the page.
Note-
If you use the Presto component with OPEN LDAP account mapping, configure the
Config.PropertiesandPresto.Jksfiles in the cluster's basic information. -
Make sure the OPEN LDAP service is enabled for the cluster.
-
-
Click Finish Editing.
Result
The account mapping is now configured. Tasks run by an Alibaba Cloud account will use the mapped cluster account.