将 Azure Active Directory 用户同步到 HDInsight 群集Synchronize Azure Active Directory users to an HDInsight cluster

使用企业安全性套餐 (ESP) 的 HDInsight 群集可对 Azure Active Directory (Azure AD) 用户使用强身份验证,还可使用 Azure 基于角色的访问控制 (Azure RBAC) 策略。HDInsight clusters with Enterprise Security Package (ESP) can use strong authentication with Azure Active Directory (Azure AD) users, as well as use Azure role-based access control (Azure RBAC) policies. 将用户和组添加到 Azure AD 时,可以同步需要访问群集的用户。As you add users and groups to Azure AD, you can synchronize the users who need access to your cluster.

先决条件Prerequisites

如果你尚未执行此操作,请使用企业安全性套餐创建 HDInsight 群集If you have not already done so, create a HDInsight cluster with Enterprise Security Package.

添加新的 Azure AD 用户Add new Azure AD users

若要查看主机,请打开 Ambari Web UI。To view your hosts, open the Ambari Web UI. 每个节点都会使用新的无人参与升级设置进行更新。Each node will be updated with new unattended upgrade settings.

  1. Azure 门户中,导航到与 ESP 群集相关联的 Azure AD 目录。From the Azure portal, navigate to the Azure AD directory associated with your ESP cluster.

  2. 从左侧菜单选择“所有用户”,然后选择“新建用户”。 Select All users from the left-hand menu, then select New user.

    Azure 门户 - 用户和组 - 所有用户

  3. 完成新用户表单。Complete the new user form. 选择所创建的组,以便分配基于群集的权限。Select groups you created for assigning cluster-based permissions. 在此示例中,请创建名为“HiveUsers”的组,以便向其分配新用户。In this example, create a group named "HiveUsers", to which you can assign new users. 示例说明介绍如何创建 ESP 群集,其中包括如何添加 HiveUsersAAD DC Administrators 这两个组。The example instructions for creating an ESP cluster include adding two groups, HiveUsers and AAD DC Administrators.

    Azure 门户 - 用户窗格 - 选择组

  4. 选择“创建” 。Select Create.

使用 Apache Ambari REST API 来同步用户Use the Apache Ambari REST API to synchronize users

在群集创建过程中指定的用户组是在创建时同步的。User groups specified during the cluster creation process are synchronized at that time. 用户同步每小时自动进行一次。User synchronization occurs automatically once every hour. 若要立即同步用户,或者要同步的组不是群集创建过程中指定的组,请使用 Ambari REST API。To synchronize the users immediately, or to synchronize a group other than the groups specified during cluster creation, use the Ambari REST API.

以下方法通过 Ambari REST API 使用 POST。The following method uses POST with the Ambari REST API. 有关详细信息,请参阅使用 Apache Ambari REST API 管理 HDInsight 群集For more information, see Manage HDInsight clusters by using the Apache Ambari REST API.

  1. 使用 ssh 命令连接到群集。Use ssh command to connect to your cluster. 编辑以下命令,将 CLUSTERNAME 替换为群集的名称,然后输入该命令:Edit the command below by replacing CLUSTERNAME with the name of your cluster, and then enter the command:

    ssh sshuser@CLUSTERNAME-ssh.azurehdinsight.cn
    
  2. 进行身份验证后,输入以下命令:After authenticating, enter the following command:

    curl -u admin:PASSWORD -sS -H "X-Requested-By: ambari" \
    -X POST -d '{"Event": {"specs": [{"principal_type": "groups", "sync_type": "existing"}]}}' \
    "https://CLUSTERNAME.azurehdinsight.cn/api/v1/ldap_sync_events"
    

    响应应如下所示:The response should look like this:

    {
      "resources" : [
        {
          "href" : "http://<ACTIVE-HEADNODE-NAME>.<YOUR DOMAIN>.com:8080/api/v1/ldap_sync_events/1",
          "Event" : {
            "id" : 1
          }
        }
      ]
    }
    
  3. 若要查看同步状态,执行一个新的 curl 命令:To see the synchronization status, execute a new curl command:

    curl -u admin:PASSWORD https://CLUSTERNAME.azurehdinsight.cn/api/v1/ldap_sync_events/1
    

    响应应如下所示:The response should look like this:

    {
      "href" : "http://<ACTIVE-HEADNODE-NAME>.YOURDOMAIN.com:8080/api/v1/ldap_sync_events/1",
      "Event" : {
        "id" : 1,
        "specs" : [
          {
            "sync_type" : "existing",
            "principal_type" : "groups"
          }
        ],
        "status" : "COMPLETE",
        "status_detail" : "Completed LDAP sync.",
        "summary" : {
          "groups" : {
            "created" : 0,
            "removed" : 0,
            "updated" : 0
          },
          "memberships" : {
            "created" : 1,
            "removed" : 0
          },
          "users" : {
            "created" : 1,
            "removed" : 0,
            "skipped" : 0,
            "updated" : 0
          }
        },
        "sync_time" : {
          "end" : 1497994072182,
          "start" : 1497994071100
        }
      }
    }
    
  4. 此结果显示,状态为“完成”,创建了一个新用户且为该用户指定了成员身份。This result shows that the status is COMPLETE, one new user was created, and the user was assigned a membership. 在此示例中,用户分配到“HiveUsers”同步的 LDAP 组,因为用户已在 Azure AD 中添加到该组。In this example, the user is assigned to the "HiveUsers" synchronized LDAP group, since the user was added to that same group in Azure AD.

    备注

    前一方法仅同步创建群集时在域设置的“访问用户组”属性中指定的 Azure AD 组。The previous method only synchronizes the Azure AD groups specified in the Access user group property of the domain settings during cluster creation.

验证新添加的 Azure AD 用户Verify the newly added Azure AD user

打开 Apache Ambari Web UI,验证新的 Azure AD 用户是否已添加。Open the Apache Ambari Web UI to verify that the new Azure AD user was added. 浏览到 https://CLUSTERNAME.azurehdinsight.cn ,对 Ambari Web UI 进行访问。Access the Ambari Web UI by browsing to https://CLUSTERNAME.azurehdinsight.cn. 输入群集管理员用户名和密码。Enter the cluster administrator username and password.

  1. 在 Ambari 仪表板中,选择“管理”菜单下的“管理 Ambari”。 From the Ambari dashboard, select Manage Ambari under the admin menu.

    Apache Ambari 仪表板 - 管理 Ambari

  2. 在页面左侧的“用户 + 组管理”菜单组下选择“用户”。 Select Users under the User + Group Management menu group on the left-hand side of the page.

    HDInsight 的“用户和组”菜单

  3. 新用户应在“用户”表中列出。The new user should be listed within the Users table. “类型”设置为 LDAP 而非 LocalThe Type is set to LDAP rather than Local.

    HDInsight AAD 用户页面概述

作为新用户登录到 AmbariLog in to Ambari as the new user

新用户(或任何其他域用户)在登录到 Ambari 时,使用完整的 Azure AD 用户名和域凭据。When the new user (or any other domain user) logs in to Ambari, they use their full Azure AD user name and domain credentials. Ambari 显示用户别名,该别名是用户在 Azure AD 中的显示名称。Ambari displays a user alias, which is the display name of the user in Azure AD. 新示例用户的用户名为 hiveuser3@contoso.comThe new example user has the user name hiveuser3@contoso.com. 在 Ambari 中,这个新用户显示为 hiveuser3,但该用户是作为 hiveuser3@contoso.com 登录到 Ambari 的。In Ambari, this new user shows up as hiveuser3 but the user logs into Ambari as hiveuser3@contoso.com.

另请参阅See also