hadoop-mapreduce-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Devaraj Das <d...@hortonworks.com>
Subject Re: Hadoop Security - TaskTracker and Active Directory
Date Sat, 01 Oct 2011 15:14:31 GMT
The Cluster KDC should be set up to trust the Active Directory KDC (cross-realm trust in the
kerberos lingo). This handles the cases of user authentication when a user talks to a server
in the cluster directly (e.g., user->namenode). 
The GID and other user attributes are usually stored in ldap. The cluster nodes are set up
to talk to the cluster specific ldap server. 

On Sep 30, 2011, at 7:19 PM, bigbibguy father wrote:

> We are planning to enable secure Hadoop using Kerberos. 
> 
> Our users reside in the active directory. We read that there are two options  to use
Kerberos for securing Hadoop.
> 
> 1) You run Kerberos on machine local to the cluster and create service principals here
> 2) Use Active Directory itself as the kerberos KDC and create service principals also
in Active Directory.
> 
> It seems cloudera and industry in general recommends option1 of running a local KDC for
authernticating service principals.
> https://ccp.cloudera.com/display/CDHDOC/Integrating+Hadoop+Security+with+Active+Directory
> 
>  I read that the tasktrackers run tasks as the user who submitted the user. In that case
, doesn't the TaskTracker nodes need to talk to the Active Directory to get the user details
like gid etc ?
> 
> So does this mean that every node (tasktrackers, job tracker and namenode)  will be interacting
with the Active Directory anyway ?
> 
> If so, option 1 doesn't seem to be superior since each node has to talk to two kdc's
- local kerberos for authenticating service principals, Active Directory to get the user details
and group information . 
> 
> Please correct me if I am wrong in my assumptions.
> 
> Thanks and Regards,
> 
> BBG


Mime
View raw message