Oracle Cloud Infrastructure Documentation

Managing IDCS User Sync

You can activate/deactivate/update Oracle Identity Cloud Service (IDCS) user sync for any identity domain configured with Big Data Service. Activating IDCS user sync configuration allows identity domain users to access cluster nodes using their IDCS credentials. This is enabled by setting up Linux PAM module provided by OCI IDCS on all cluster nodes. Big Data Service configures PAM module to authenticate IDCS users with the identity domain provided in the configuration. For more information, see: Manage Linux Authentication using the Linux-PAM Module.

Note

IDCS users/groups with POSIX attributes are authenticated through Linux PAM. Therefore, users/groups without POSIX attributes can't access Big Data Service cluster nodes. For more information on how to add to POSIX attributes to IDCS users/groups, see Add POSIX Attributes to Existing Groups. Similar to UPST configuration, IDCS user sync configuration can be activated either as part of identity configuration creation or as a separate operation on identity configuration details page.

Enabling Hadoop Resource Access for IDCS Users

In a non secure (non Kerberized) cluster, activating IDCS user sync enables IDCS users to access ODH services such as HDFS, Yarn, Spark, Hive, Trino, and so on.

In Secure/Kerberized clusters, authentication for using Hadoop resources is handled by Kerberos and authorization is managed by Apache Ranger. Big Data Service adds and enables custom user sync source in Ranger which synchronizes users/groups from Identity Domain to Ranger User DB. The Big Data Service administrator can define Ranger policies, allowing Hadoop resource access to IDCS users/groups.

Managing Kerberos Identities for IDCS Users

We have provided a utility for managing Kerberos identities. The location for this utility is /usr/local/bin/bds_kdc_utils. The individual IDCS user must create the Kerberos principal and keytab using this utility after signing in to any cluster node.

Managing POSIX Attributes Addition to Existing IDCS Users/Groups

Only IDCS users/groups with POSIX attributes can access Big Data Service resources. To simplify POSIX attributes, Big Data Service supports automatic addition of POSIX attributes to all users/groups of IDCS application. This can be enabled by setting POSIX attribute addition required to true in the IDCS user sync configuration. This flag can be also be updated after IDCS user sync is activated for a Big Data Service cluster.