Return-Path: X-Original-To: apmail-hadoop-common-user-archive@www.apache.org Delivered-To: apmail-hadoop-common-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CAD1910C3F for ; Tue, 4 Feb 2014 04:34:47 +0000 (UTC) Received: (qmail 24478 invoked by uid 500); 4 Feb 2014 04:34:39 -0000 Delivered-To: apmail-hadoop-common-user-archive@hadoop.apache.org Received: (qmail 24046 invoked by uid 500); 4 Feb 2014 04:34:35 -0000 Mailing-List: contact user-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@hadoop.apache.org Delivered-To: mailing list user@hadoop.apache.org Received: (qmail 23877 invoked by uid 99); 4 Feb 2014 04:34:33 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Feb 2014 04:34:33 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy includes SPF record at spf.trusted-forwarder.org) Received: from [209.85.212.49] (HELO mail-vb0-f49.google.com) (209.85.212.49) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Feb 2014 04:34:29 +0000 Received: by mail-vb0-f49.google.com with SMTP id x14so5288332vbb.22 for ; Mon, 03 Feb 2014 20:34:07 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=iksAq892o9hh2A0oZxV1kHnfwKNcUWZxxqSO6KSNATw=; b=CJDj5Rf12PSksxyVsu1dVwlJMNkO3CVl+PT4xx0KnmYzh4OuBrzo2RyBi8RSFb+lTC yH6iSVjB1s3x7y4uUy4gAo44OKnUU4V9WC8ErAATcTYP0/FW4xbYnhDVBN+PL+mUkkGl TCrhQGBZG5DnplkPL8MDu+jfNdP6/A2HQiKXddEg3g/ZXXrExULUea5fJUKuDe/ub2WK hEvCwA0+n0fEZPgnfjb9xvhEVvV0R3Np3gzbZUY50/HU7kyWkBVNw0EL9ZpEC8tN0bx1 DKvC+tX0J1qxkUnrB7tkqfl6sh02EEXCwj6RF9TcIGXZqgk15ZQiK6rmyU4TOjdIVDA5 G7bw== X-Gm-Message-State: ALoCoQmLCP9pg7kh3bRqLs3ePIwU84ACC5nsfENKcgxYxDk/NnnWRI66dlK5YwUb+KKy8LwsnhP0 MIME-Version: 1.0 X-Received: by 10.52.189.33 with SMTP id gf1mr6463754vdc.26.1391488447743; Mon, 03 Feb 2014 20:34:07 -0800 (PST) Received: by 10.58.33.100 with HTTP; Mon, 3 Feb 2014 20:34:07 -0800 (PST) X-Originating-IP: [209.150.41.132] In-Reply-To: References: Date: Mon, 3 Feb 2014 23:34:07 -0500 Message-ID: Subject: Re: kerberos principals per node necessary? From: Koert Kuipers To: user@hadoop.apache.org, antony@gmail.com Content-Type: multipart/alternative; boundary=001a1136b262a31df704f18d260b X-Virus-Checked: Checked by ClamAV on apache.org --001a1136b262a31df704f18d260b Content-Type: text/plain; charset=ISO-8859-1 interesting! thanks for that information, very helpful On Mon, Feb 3, 2014 at 6:04 PM, Benoy Antony wrote: > Its a bad idea, Koert. > When multiple nodes are using the same principal (in this case all the > datanodes ) , it will result in server assuming that its a replay attack > and result in denial of service. > > More details here : > > http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/4.2.1/CDH4-Security-Guide/cdh4sg_topic_17.html#concept_hfv_zqw_wj_unique_1 > > and here > http://web.mit.edu/kerberos/krb5-devel/doc/basic/rcache_def.html > > benoy > > > On Sun, Feb 2, 2014 at 3:14 PM, Koert Kuipers wrote: > >> i >> s it necessary to create a kerberos principal for hdfs on every node, as >> in hdfs/some-host@SOME-REALM? >> why not use one principal hdfs@SOME-REALM? that way i could distribute >> the same keytab file to all nodes which makes things a lot easier. >> thanks! koert >> > > --001a1136b262a31df704f18d260b Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
interesting! thanks for that information, very helpful


On = Mon, Feb 3, 2014 at 6:04 PM, Benoy Antony <bantony@gmail.com> wrote:
Its a bad idea, Koert.=A0When multiple nodes are using the same principal (in this case all the d= atanodes ) , =A0it will result in server assuming that its a replay attack = and result in denial of service.

More details here :


benoy


On Sun, Feb 2, 20= 14 at 3:14 PM, Koert Kuipers <koert@tresata.com> wrote:
i
s it necessar= y to create a kerberos principal for hdfs on every node, as in hdfs/some-ho= st@SOME-REALM?
why not use one principal hdfs@SOME-REALM? that way i could distribute the = same keytab file to all nodes which makes things a lot easier.
thanks! k= oert


--001a1136b262a31df704f18d260b--