hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Angeles <patrickange...@gmail.com>
Subject Re: Hadoop Active Directory Integration
Date Wed, 08 Feb 2012 18:54:33 GMT
On Wed, Feb 8, 2012 at 1:43 PM, Benyi Wang <bewang.tech@gmail.com> wrote:

> Can anyone answer my questions?
> Thanks a lot.
> ---------- Forwarded message ----------
> From: Benyi Wang <bewang.tech@gmail.com>
> Date: Mon, Feb 6, 2012 at 11:07 PM
> Subject: Hadoop Active Directory Integration
> To: common-user@hadoop.apache.org
> Hi,
> I have questions about Hadoop Active Directory Integration:
>   1. When using Active Directory, do we still need to create a Linux
>   account for each user on each Linux node?

Yes. You can do LDAP integration via PAM.

>   2. What about if I enable queue acls and use fairscheduler? Will task
>   trackers send all ACLs check to Active directory? Can I list the user
>   accounts or AD security groups in mapred-queue-acls.xml? Do I need to
>   create those groups in Linux node?
The fairscheduler runs entirely on the JT.  Those groups need to resolve on
the JT (and NN) machines.

>   3. Does someone configure Hadoop AD integration in multiple networks?
>   for example, my company have three networks:  corp,  lab, and prod. A
> user
>   in "corp" network can log on a window server in lab or prod. If we want
> to
>   use local MIT KDC and set up "one-way cross-realm trust from this realm
>   to the Active Directory realm" in
> https://ccp.cloudera.com/display/CDHDOC/Integrating+Hadoop+Security+with+Active+Directory
> .
>   How to set up Kerberos in such a environment?

You can have a local KDC and realm per cluster, and set up one-way
cross-realm trust on each realm to your corp AD.

>   4. Is this right? If AD is setup, a window user can remotely submit a
>   mapred job?
I've never tried this, but my guess is it won't just work.

>   5. What about the authorization? Can hadoop configure so that only users
>   in the specified security groups in AD can submit jobs.
You can do this via ACLs.

> Thanks.
> Ben

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message