hadoop-mapreduce-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bigbibguy father <bigbib...@gmail.com>
Subject Hadoop Security - TaskTracker and Active Directory
Date Sat, 01 Oct 2011 02:19:46 GMT
We are planning to enable secure Hadoop using Kerberos.

Our users reside in the active directory. We read that there are two options
 to use Kerberos for securing Hadoop.

1) You run Kerberos on machine local to the cluster and create service
principals here
2) Use Active Directory itself as the kerberos KDC and create service
principals also in Active Directory.

It seems cloudera and industry in general recommends option1 of running a
local KDC for authernticating service principals.
https://ccp.cloudera.com/display/CDHDOC/Integrating+Hadoop+Security+with+Active+Directory

 I read that the tasktrackers run tasks as the user who submitted the user.
In that case , doesn't the TaskTracker nodes need to talk to the Active
Directory to get the user details like gid etc ?

So does this mean that every node (tasktrackers, job tracker and namenode)
 will be interacting with the Active Directory anyway ?

If so, option 1 doesn't seem to be superior since each node has to talk to
two kdc's - local kerberos for authenticating service principals, Active
Directory to get the user details and group information .

Please correct me if I am wrong in my assumptions.

Thanks and Regards,

BBG

Mime
View raw message