- Release Notes
- Get Started
- Clusters
- Cloud Settings
- Table Type
- Query Data Lakes
- Integration
- Query Acceleration
- Data Loading
- Concepts
- Batch load data from Amazon S3
- Batch load data from Azure cloud storage
- Load data from a local file system
- Load data from Confluent Cloud
- Load data from Amazon MSK
- Load data from Amazon Kinesis
- Data Unloading
- Data Backup
- Security
- Console Access Control
- Data Access Control
- Application keys
- Service accounts
- Use SSL connection
- Alarm
- Usage and Billing
- Organizations and Accounts
- Reference
- Amazon Web Services (AWS)
- Microsoft Azure
- SQL Reference
- Keywords
- ALL statements
- User Account Management
- Cluster Management
- ADMIN CANCEL REPAIR
- ADMIN CHECK TABLET
- ADMIN REPAIR
- ADMIN SET CONFIG
- ADMIN SET REPLICA STATUS
- ADMIN SHOW CONFIG
- ADMIN SHOW REPLICA DISTRIBUTION
- ADMIN SHOW REPLICA STATUS
- ALTER RESOURCE GROUP
- ALTER SYSTEM
- CANCEL DECOMMISSION
- CREATE FILE
- CREATE RESOURCE GROUP
- DROP FILE
- DROP RESOURCE GROUP
- EXPLAIN
- INSTALL PLUGIN
- SET
- SHOW BACKENDS
- SHOW BROKER
- SHOW COMPUTE NODES
- SHOW FRONTENDS
- SHOW FULL COLUMNS
- SHOW INDEX
- SHOW PLUGINS
- SHOW PROCESSLIST
- SHOW RESOURCE GROUP
- SHOW TABLE STATUS
- SHOW FILE
- SHOW VARIABLES
- UNINSTALL PLUGIN
- DDL
- ALTER DATABASE
- ALTER MATERIALIZED VIEW
- ALTER TABLE
- ALTER VIEW
- ANALYZE TABLE
- BACKUP
- CANCEL ALTER TABLE
- CANCEL BACKUP
- CANCEL RESTORE
- CREATE ANALYZE
- CREATE DATABASE
- CREATE EXTERNAL CATALOG
- CREATE INDEX
- CREATE MATERIALIZED VIEW
- CREATE REPOSITORY
- CREATE TABLE AS SELECT
- CREATE TABLE LIKE
- CREATE TABLE
- CREATE VIEW
- CREATE FUNCTION
- DROP ANALYZE
- DROP STATS
- DROP CATALOG
- DROP DATABASE
- DROP INDEX
- DROP MATERIALIZED VIEW
- DROP REPOSITORY
- DROP TABLE
- DROP VIEW
- DROP FUNCTION
- KILL ANALYZE
- RECOVER
- REFRESH EXTERNAL TABLE
- RESTORE
- SET CATALOG
- SHOW ANALYZE JOB
- SHOW ANALYZE STATUS
- SHOW META
- SHOW FUNCTION
- TRUNCATE TABLE
- USE
- DML
- ALTER LOAD
- ALTER ROUTINE LOAD
- BROKER LOAD
- CANCEL LOAD
- CANCEL EXPORT
- CANCEL REFRESH MATERIALIZED VIEW
- CREATE ROUTINE LOAD
- DELETE
- EXPORT
- GROUP BY
- INSERT
- PAUSE ROUTINE LOAD
- RESUME ROUTINE LOAD
- REFRESH MATERIALIZED VIEW
- SELECT
- SHOW ALTER
- SHOW ALTER MATERIALIZED VIEW
- SHOW BACKUP
- SHOW CATALOGS
- SHOW CREATE CATALOG
- SHOW CREATE MATERIALIZED VIEW
- SHOW CREATE TABLE
- SHOW CREATE VIEW
- SHOW DATA
- SHOW DATABASES
- SHOW DELETE
- SHOW DYNAMIC PARTITION TABLES
- SHOW EXPORT
- SHOW LOAD
- SHOW MATERIALIZED VIEW
- SHOW PARTITIONS
- SHOW REPOSITORIES
- SHOW RESTORE
- SHOW ROUTINE LOAD
- SHOW ROUTINE LOAD TASK
- SHOW SNAPSHOT
- SHOW TABLES
- SHOW TABLET
- SHOW TRANSACTION
- STOP ROUTINE LOAD
- STREAM LOAD
- SUBMIT TASK
- UPDATE
- Auxiliary Commands
- Data Types
- Keywords
- SQL Functions
- Function list
- Java UDFs
- Window functions
- Lambda expression
- Date Functions
- add_months
- adddate
- convert_tz
- current_date
- current_time
- current_timestamp
- date
- date_add
- date_diff
- date_format
- date_slice
- date_sub, subdate
- date_trunc
- datediff
- day
- dayofweek_iso
- dayname
- dayofmonth
- dayofweek
- dayofyear
- days_add
- days_diff
- days_sub
- from_days
- from_unixtime
- hour
- hours_add
- hours_diff
- hours_sub
- jodatime_format
- last_day
- makedate
- microseconds_add
- microseconds_sub
- minute
- minutes_add
- minutes_diff
- minutes_sub
- month
- monthname
- months_add
- months_diff
- months_sub
- next_day
- now
- previous_day
- quarter
- second
- seconds_add
- seconds_diff
- seconds_sub
- str_to_date
- str_to_jodatime
- str2date
- time_slice
- time_to_sec
- timediff
- timestamp
- timestampadd
- timestampdiff
- to_date
- to_days
- to_iso8601
- to_tera_date
- to_tera_timestamp
- unix_timestamp
- utc_timestamp
- week
- week_iso
- weekofyear
- weeks_add
- weeks_diff
- weeks_sub
- year
- years_add
- years_diff
- years_sub
- Aggregate Functions
- any_value
- approx_count_distinct
- array_agg
- avg
- bitmap
- bitmap_agg
- count
- count_if
- corr
- covar_pop
- covar_samp
- group_concat
- grouping
- grouping_id
- hll_empty
- hll_hash
- hll_raw_agg
- hll_union
- hll_union_agg
- max
- max_by
- min
- min_by
- multi_distinct_sum
- multi_distinct_count
- percentile_approx
- percentile_cont
- percentile_disc
- retention
- stddev
- stddev_samp
- sum
- variance, variance_pop, var_pop
- var_samp
- window_funnel
- Geographic Functions
- String Functions
- append_trailing_char_if_absent
- ascii
- char
- char_length
- character_length
- concat
- concat_ws
- ends_with
- find_in_set
- group_concat
- hex
- hex_decode_binary
- hex_decode_string
- instr
- lcase
- left
- length
- locate
- lower
- lpad
- ltrim
- money_format
- null_or_empty
- parse_url
- repeat
- replace
- reverse
- right
- rpad
- rtrim
- space
- split
- split_part
- substring_index
- starts_with
- strleft
- strright
- str_to_map
- substring
- trim
- ucase
- unhex
- upper
- url_decode
- url_encode
- Pattern Matching Functions
- JSON Functions
- Overview of JSON functions and operators
- JSON operators
- JSON constructor functions
- JSON query and processing functions
- Bit Functions
- Bitmap Functions
- Array Functions
- all_match
- any_match
- array_agg
- array_append
- array_avg
- array_concat
- array_contains
- array_contains_all
- array_cum_sum
- array_difference
- array_distinct
- array_filter
- array_generate
- array_intersect
- array_join
- array_length
- array_map
- array_max
- array_min
- array_position
- array_remove
- array_slice
- array_sort
- array_sortby
- array_sum
- arrays_overlap
- array_to_bitmap
- cardinality
- element_at
- reverse
- unnest
- Map Functions
- Binary Functions
- cast function
- hash function
- Cryptographic Functions
- Math Functions
- Pattern Matching Functions
- Percentile Functions
- Scalar Functions
- Struct Functions
- Table Functions
- Utility Functions
- AUTO_INCREMENT
- Generated columns
- System variables
- System limits
- Information Schema
- Overview
- be_bvars
- be_cloud_native_compactions
- be_compactions
- character_sets
- collations
- column_privileges
- columns
- engines
- events
- global_variables
- key_column_usage
- load_tracking_logs
- loads
- materialized_views
- partitions
- pipe_files
- pipes
- referential_constraints
- routines
- schema_privileges
- schemata
- session_variables
- statistics
- table_constraints
- table_privileges
- tables
- tables_config
- task_runs
- tasks
- triggers
- user_privileges
- views
- System Metadatabase
- API
- Overview
- Actions
- Clusters
- Create and Manage Clusters
- Query Clusters
- Identity and Access Management
- Organization and Account
- Usage and Billing
- Clusters
- Terraform Provider
- Run scripts
Map LDAP groups to CelerData cluster
This topic describes how to map the user and group membership information in your LDAP service to your CelerData cluster. By allowing access of your LDAP information to your CelerData cluster, you enable the cluster to automatically manage the users and privileges according to your LDAP information, not only greatly simplifying the authentication and authorization experiences with LDAP on your CelerData cluster, but also significantly increasing the consistency of user information between the two services.
CAUTION
Only users with the SECURITY privilege on the SYSTEM level can perform the following operations.
Overview
CelerData offers a new feature - Security Integration, which automates the user and privilege management at the stage of user login. By creating a security integration within your CelerData cluster, you can allow access of your LDAP service to CelerData. CelerData caches the group membership information of your LDAP service according to the mapping policies you created, and refreshes the cache whenever needed.
Users can log in to a CelerData cluster with the authentication method that your LDAP service supports. Each time a user logs in to a CelerData cluster, the cluster does as follows:
The cluster first checks whether the user exists in your LDAP service and whether the authentication is valid.
- If the user exists and the authentication is valid, the cluster creates a dummy user account with the LDAP username the user logs in with.
- If the user does not exist in the LDAP service or the authentication is invalid, the cluster returns login failure.
Then, it checks to which group the user belongs by querying the cached group membership information.
- If the user belongs to a specific group, the cluster grants the corresponding roles (with specific privileges) to the dummy user account, and returns login success.
- If the user does not belong to any group, the cluster returns login failure.
Create a security integration
To map your LDAP service to your CelerData cluster, you need to configure the connection between them via a security integration.
Syntax:
CREATE SECURITY INTEGRATION <security_integration_name>
PROPERTIES (
"type" = "ldap",
"ldap_server_host" = "",
"ldap_server_port" = "",
"ldap_bind_base_dn" = "",
"ldap_user_search_attr" = "",
"ldap_user_group_match_attr" = "",
"ldap_bind_root_dn" = "",
"ldap_bind_root_pwd" = "",
"ldap_cache_refresh_interval" = "",
"ldap_ssl_conn_allow_insecure" = "{true | false}",
"ldap_ssl_conn_trust_store_path" = "",
"ldap_ssl_conn_trust_store_pwd" = "",
"comment" = ""
)
Parameters:
Parameter | Required | Description |
---|---|---|
security_integration_name | Yes | The name of the security integration. NOTE The security integration name is globally unique. You cannot specify this parameter as native . |
type | Yes | The type of the security integration. Specify it as ldap . |
ldap_server_host | No | The IP address of your LDAP service. Default: 127.0.0.1 . |
ldap_server_port | No | The port of your LDAP service. Default: 389 . |
ldap_bind_base_dn | Yes | The base Distinguished Name (DN) of the LDAP user for which the cluster searches. |
ldap_user_search_attr | Yes | The user's attribute used to log in to the LDAP service, for example, uid . |
ldap_user_group_match_attr | No | If the user's attribute as the member of a group is different from the user's DN, you must specify this parameter. For example, if a user's DN is uid=bob,ou=people,o=celerdata,dc=com , but its attribute as a group member is memberUid=bob,ou=people,o=celerdata,dc=com , you need to specify ldap_user_search_attr as uid and ldap_user_group_match_attr as memberUid . If this parameter is not specified, the value you specified in ldap_user_search_attr is used. You can also specify a regular expression to match the members in the group. The regular expression must be prefixed by regex: . Suppose a group has a member CN=Poornima K Hebbar (phebbar),OU=User Policy 0,OU=All Users,DC=SEA,DC=CORP,DC=EXPECN,DC=com . If you specify this property as regex:CN=.*\\(([^)]+)\\) , it will match the member phebbar . |
ldap_bind_root_dn | Yes | The admin DN of your LDAP service. |
ldap_bind_root_pwd | Yes | The admin password of your LDAP service. |
ldap_cache_refresh_interval | No | The interval at which the cluster automatically refreshes the cached LDAP group information. Unit: Seconds. Default: 900 . |
ldap_ssl_conn_allow_insecure | No | Whether to use the non-SSL connection to the LDAP server. Default: true . Setting this value to false indicates to enable LDAP over SSL. If you enable LDAP SSL connection, you must either upload the SSL certificate to the Java TrustStore paths on each FE node (recommended), or specify the local path that stores the certificate using the properties ldap_ssl_conn_trust_store_path and ldap_ssl_conn_trust_store_pwd . |
ldap_ssl_conn_trust_store_path | No | The local path that stores the LDAP SSL certificate. |
ldap_ssl_conn_trust_store_pwd | No | The password used to access the LDAP SSL certificate that is stored locally. |
comment | No | The description of the security integration. |
CAUTION
your CelerData cluster does not offer connectivity checks when you create a security integration.
Configure authentication chain
After the security integration is created, it is added to your CelerData cluster as a new authentication method. You must enable the security integration by setting the order of the authentication methods via the FE dynamic configuration item authentication_chain
. In this case, you need to set the security integration as the preferred authentication method and then the native authentication of the CelerData cluster.
ADMIN SET FRONTEND CONFIG (
"authentication_chain" = "<security_integration_name>, native"
);
NOTE
- If
authentication_chain
is not specified, only the native authentication is enabled.- Once
authentication_chain
is set, your CelerData cluster first verifies the user login with the top preferred authentication method. If a login fails with the preferred authentication method, the cluster follows the specified order to try the next authentication method.
You can check the value of authentication_chain
using the following statement:
ADMIN SHOW FRONTEND CONFIG LIKE 'AUTHENTICATION_CHAIN';
Create mapping policy
After the order of the authentication methods is set, you need to create policies to map your LDAP groups to roles in your CelerData cluster using the following statement. Each time you can map multiple LDAP groups to one role in your CelerData cluster. The relationship across the groups in the list is |
.
Syntax:
CREATE ROLE MAPPING <map_name>
PROPERTIES (
"integration_name"="",
"role"="",
"ldap_group_list"=""
)
Parameters:
Parameter | Required | Description |
---|---|---|
map_name | Yes | The name of the mapping policy. |
integration_name | Yes | The security integration for which the mapping policy is enabled. |
role | Yes | The name of the role to which the LDAP groups are mapped. |
ldap_group_list | Yes | The DN list of the LDAP group(s) to which the role is mapped, for example, ['cn=group1,ou=groups,o=celerdata,dc=com','cn=group2,ou=groups,o=celerdata,dc=com'] . The relationship across the groups in the list is ` |
NOTE
- Once the mapping policy is created and the security integration is enabled, your CelerData cluster grabs and caches all the members of the groups specified in the
ldap_group_list
. If the mapping policy is created but the security integration is not enabled, the information will not be cached.- By default, your CelerData cluster searches the members in the group using
member
,uniqueMember
, andmemberUid
.- By default, each group is expanded recursively. Your CelerData cluster expands all the members with
objectClass
ofgroupOfNames
,groupOfUniqueNames
, andposixGroup
, and searches for the members with the corresponding attributes.
Refresh the cache
Once the mapping policy is created and the security integration is enabled, your CelerData cluster grabs and caches the corresponding group membership information. Generally, the cluster refreshes the cache with the following mechanisms:
Automatic refresh:
Your CelerData cluster automatically refreshes the cache at the interval specified in the security integration property
ldap_cache_refresh_interval
.Triggered refresh:
Each time the cluster fails to find the corresponding group membership information in the existing cache when a user logs in, it refreshes the cache to search for the user in the updated cache.
Manual refresh:
You can trigger a manual refresh whenever needed.
REFRESH ALL ROLE MAPPINGS;
Manage your security integrations and mapping policies
Manage security integrations
You can alter the configuration of an existing security integration using the following statement:
ALTER SECURITY INTEGRATION <security_integration_name> SET
PROPERTIES (
"key"="value"[, ...]
)
CAUTION
You cannot alter the
type
of a security integration.
You can drop an existing security integration using the following statement:
DROP SECURITY INTEGRATION <security_integration_name>
You can view all security integrations in your CelerData cluster using the following statement:
SHOW SECURITY INTEGRATIONS;
Example:
SHOW SECURITY INTEGRATIONS;
+--------+--------+---------+
| Name | Type | Comment |
+--------+--------+---------+
| LDAP1 | LDAP | NULL |
+--------+--------+---------+
Parameter | Description |
---|---|
Name | The name of the security integration. |
Type | The type of the security integration. |
Comment | The description of the security integration. NULL is returned when no description is specified for the security integration. |
You can check the details of a security integration using the following statement:
SHOW CREATE SECURITY INTEGRATION <integration_name>
Example:
SHOW CREATE SECURITY INTEGRATION LDAP1;
+----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Security Integration | Create Security Integration |
+----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| LDAP1 | CREATE SECURITY INTEGRATION LDAP1
PROPERTIES (
"type" = "ldap",
"ldap_server_host"="",
"ldap_server_port"="",
"ldap_bind_base_dn"="",
"ldap_user_search_attr"="",
"ldap_bind_root_dn"="",
"ldap_bind_root_pwd"="*****",
"ldap_cache_refresh_interval"="",
"comment"=""
)|
+----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
NOTE
ldap_bind_root_pwd
is masked when SHOW CREATE SECURITY INTEGRATION is executed.
Manage mapping policies
You can alter the configuration of an existing mapping policy using the following statement:
ALTER ROLE MAPPING <map_name>
PROPERTIES (
"key"="value"[, ...]
)
You can drop an existing mapping policy using the following statement:
DROP ROLE MAPPING <map_name>
CAUTION
If the
ldap_group_list
of an existing mapping policy is altered, your CelerData cluster automatically refreshes the cache. If the mapping policy is dropped, the cluster deletes the corresponding cache.
You can view all mapping policies using the following statement:
SHOW ROLE MAPPINGS;
Example:
SHOW ROLE MAPPINGS;
+------------------+-----------------+-----------+----------------------------------------+-------------------------+
| Name | IntegrationName | Role | LdapGroupList | LastRefreshCompleteTime |
+------------------+-----------------+-----------+----------------------------------------+-------------------------+
| LDAP1_readonly | ldap1 | readonly | "cn=user,ou=group,o=celerdata,dc=com" | 2023-03-08 10:00:00 |
+------------------+-----------------+-----------+----------------------------------------+-------------------------+
LastRefreshCompleteTime
indicates the time when the last cache refresh completes. You can see whether the cache is up-to-date.