ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Levas <rle...@hortonworks.com>
Subject Re: Datanode does not need hdfs.headless.keytab ?
Date Wed, 04 Apr 2018 19:17:10 GMT
The DN does not need to authenticate as the "root" HDFS user to perform administrative tasks.
 

A while back, we started an initiative to reduce the exposure of the HDFS "root" user due
to security concerns.  In doing so, we tightened up where we distribute the HDFS keytab file.
However since then some services need to create directories and change permissions on them
as the HDFS root user upon installation; and thus, the keytab file is being distributed more
than some security-conscious people would like.  Until we find a way to centralize the creation
of these HDFS resources, we need to deal with this.  

You should not normally need the HDFS keytab file on DN hosts... are you having an issue?


Rob


´╗┐On 4/4/18, 2:15 PM, "Di Li" <osjiras@gmail.com> wrote:

    Hi folks,
    
    I noticed hdfs.headless.keytab only exists on NameNode and HDFS client
    node.
    
    Could someone please share some details on why DN does not need the
    hdfs.headless.keytab ? I thought we need it in order for DN to work against
    NN.
    
    Any negative impacts if I always include hdfs.headless.keytab on the DN
    nodes  (such as ensure HDFS client always cohost with DNs) ?
    
    Thank you.
    
    Di
    

Mime
View raw message