hadoop-common-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rakesh Radhakrishnan <rake...@apache.org>
Subject Re: Setting up secure Multi-Node cluster
Date Tue, 28 Jun 2016 03:28:33 GMT
Hi Aneela,

IIUC, Namenode, Datanode is using _HOST pattern in their principal and
needs to create separate principal for NN and DN if running in different
machines. I hope the below explanation will help you.

"dfs.namenode.kerberos.principal" is typically set to nn/_HOST@REALM. Each
Namenode will substitute the _HOST with its own fully qualified hostname at
startup.The _HOST placeholder allows using the same configuration setting
on both Active and Standby NameNodes in an HA setup

Similarly "dfs.datanode.kerberos.principal" will set to dn/_HOST@REALM.
DataNode will substitute _HOST with its own fully qualified hostname at
startup. The _HOST placeholder allows using the same configuration setting
on all DataNodes.

Again, if you are using HA setup with QJM,
"dfs.journalnode.kerberos.principal" will set to jn/_HOST@REALM

>>>>>Do i need to copy all the kerberos configuration files like kdc.conf
and krb5.conf etc on every node in default locations?
Yes, you need to place these in appropriate paths in all the machines.

Regards,
Rakesh

On Tue, Jun 28, 2016 at 3:15 AM, Aneela Saleem <aneela@platalytics.com>
wrote:

> Hi all,
>
> I have configured Kerberos for single node cluster successfully. I used
> this
> <http://queryio.com/hadoop-big-data-docs/hadoop-big-data-admin-guide/queryio/hadoop-security-setup-kerberos.html#add_admin>
documentation
> for configurations. Now i'm enabling security for multi node cluster and i
> have some confusions about that. Like
>
> How principals would be managed for namenode and data node? because till
> now i had only one principal *hdfs/_HOST@platalyticsrealm *used for both
> namenode as well as for datanode? Do i need to add separate principals for
> both namenode and datanode having different hostname? for example:
> if my namenode hostname is *hadoop-master* then there should be principal
> added *nn/hadoop-master@platalyticsrealm *(with appropriate keytab file)
> if my datanode hostname is *hadoop-slave *then there should be principal
> added *dn/hadoop-slave@platalyticsrealm* (with appropriate keytab file)
>
> Do i need to copy all the kerberos configuration files like kdc.conf and
> krb5.conf etc on every node in default locations?
>
> A little guidance would be highly appreciated. Thanks
>

Mime
View raw message