Return-Path: X-Original-To: apmail-hadoop-hdfs-user-archive@minotaur.apache.org Delivered-To: apmail-hadoop-hdfs-user-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E10B71068D for ; Wed, 22 Jan 2014 18:22:13 +0000 (UTC) Received: (qmail 99328 invoked by uid 500); 22 Jan 2014 18:22:05 -0000 Delivered-To: apmail-hadoop-hdfs-user-archive@hadoop.apache.org Received: (qmail 99215 invoked by uid 500); 22 Jan 2014 18:22:04 -0000 Mailing-List: contact user-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@hadoop.apache.org Delivered-To: mailing list user@hadoop.apache.org Received: (qmail 99208 invoked by uid 99); 22 Jan 2014 18:22:04 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 22 Jan 2014 18:22:04 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of vinodkv@hortonworks.com designates 209.85.160.54 as permitted sender) Received: from [209.85.160.54] (HELO mail-pb0-f54.google.com) (209.85.160.54) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 22 Jan 2014 18:21:59 +0000 Received: by mail-pb0-f54.google.com with SMTP id uo5so728268pbc.41 for ; Wed, 22 Jan 2014 10:21:39 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:message-id:mime-version:subject:date :references:to:in-reply-to:content-type; bh=ozv1bjjxRsDsnM4+ETdHpzKQB814ahnJWAGyIhNt/Gs=; b=I7vH9sUGw1qjkDKozylscA9erGwBRMTJ7N3AjdObOyWuA6lA8/AlDInfgt3QQpdWGR Q8EIlkAtxmqyes2u65IJtQlHh+GjHTndbkMsbNXGw+s7ZHp2DI2UIUcUK8rjUrhjnf7P f6ue7uUybL0PDSdzw6YXf60ZrjgSylG2J2QvPEeVGgkhpaJ5uUKPsS33TPDL8qulHOC7 hkj2pCD421OaRdXnK1b9WtkodWr/fySgiGFsoRhb2cAr1vcclL4/lxXu+6jTdcB0Nk/s METriTYpvYyMKD19vKL5m+il1kObvWPdV61g0y5IXPcgByG6qPQY5qCQGgkIdQgOaFEl eFUA== X-Gm-Message-State: ALoCoQkIpLMnvdy6qaBw3/5kFRD61Ixlq+ZahZB307WZibsTBofhL575kUVOWXpqXfYBU+T5oYw11AZoRJW+bJJ9wxXLs6ZAtj2egtC6V7Fa4hwO5SZlErA= X-Received: by 10.66.156.137 with SMTP id we9mr3236325pab.30.1390414899327; Wed, 22 Jan 2014 10:21:39 -0800 (PST) Received: from [10.11.2.123] ([192.175.27.2]) by mx.google.com with ESMTPSA id sy2sm26059078pbc.28.2014.01.22.10.21.33 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 22 Jan 2014 10:21:33 -0800 (PST) From: Vinod Kumar Vavilapalli Message-Id: <2797631C-8377-43B5-9740-D387A6FA4407@hortonworks.com> Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\)) Subject: Re: kerberos for outside threads Date: Wed, 22 Jan 2014 10:21:31 -0800 References: To: user@hadoop.apache.org In-Reply-To: X-Mailer: Apple Mail (2.1827) Content-Type: multipart/alternative; boundary="Apple-Mail=_C6EAC0BD-0B6F-4B4C-852B-B942B0487096" X-Virus-Checked: Checked by ClamAV on apache.org --Apple-Mail=_C6EAC0BD-0B6F-4B4C-852B-B942B0487096 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=ISO-8859-1 That is a very appropriate setup. As long as those assumptions remain valid= , of course. This was the only way how early hadoop clusters were secured -= by restricting access to the cluster using firewall and gateways. +Vinod On Jan 21, 2014, at 4:45 PM, Koert Kuipers wrote: > but for a hadoop cluster that sits "behind" a bunch of web servers to do = say log analysis, and that already is protected by standard measures (no ro= ute to cluster from outside, so a web server would have to get compromised = to gain access), is there any value in securing it with kerberos? does anyo= ne do that? --=20 CONFIDENTIALITY NOTICE NOTICE: This message is intended for the use of the individual or entity to= =20 which it is addressed and may contain information that is confidential,=20 privileged and exempt from disclosure under applicable law. If the reader= =20 of this message is not the intended recipient, you are hereby notified that= =20 any printing, copying, dissemination, distribution, disclosure or=20 forwarding of this communication is strictly prohibited. If you have=20 received this communication in error, please contact the sender immediately= =20 and delete it from your system. Thank You. --Apple-Mail=_C6EAC0BD-0B6F-4B4C-852B-B942B0487096 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=ISO-8859-1

That= is a very appropriate setup. As long as those assumptions remain valid, of= course. This was the only way how early hadoop clusters were secured - by = restricting access to the cluster using firewall and gateways.
+Vinod

On Jan 21, 2014, at 4:45 PM, Koert K= uipers <koert@tresata.com> w= rote:

but for a hadoop cluster that sits "behind" a bunch of web= servers to do say log analysis, and that already is protected by standard = measures (no route to cluster from outside, so a web server would have to g= et compromised to gain access), is there any value in securing it with kerb= eros? does anyone do that?


CONFIDENTIALITY NOTICE
NOTICE: This message is = intended for the use of the individual or entity to which it is addressed a= nd may contain information that is confidential, privileged and exempt from= disclosure under applicable law. If the reader of this message is not the = intended recipient, you are hereby notified that any printing, copying, dis= semination, distribution, disclosure or forwarding of this communication is= strictly prohibited. If you have received this communication in error, ple= ase contact the sender immediately and delete it from your system. Thank Yo= u. --Apple-Mail=_C6EAC0BD-0B6F-4B4C-852B-B942B0487096--