hadoop-mapreduce-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benoy Antony <bant...@gmail.com>
Subject Re: kerberos principals per node necessary?
Date Mon, 03 Feb 2014 23:04:31 GMT
Its a bad idea, Koert.
When multiple nodes are using the same principal (in this case all the
datanodes ) ,  it will result in server assuming that its a replay attack
and result in denial of service.

More details here :
http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/4.2.1/CDH4-Security-Guide/cdh4sg_topic_17.html#concept_hfv_zqw_wj_unique_1

and here
http://web.mit.edu/kerberos/krb5-devel/doc/basic/rcache_def.html

benoy


On Sun, Feb 2, 2014 at 3:14 PM, Koert Kuipers <koert@tresata.com> wrote:

> i
> s it necessary to create a kerberos principal for hdfs on every node, as
> in hdfs/some-host@SOME-REALM?
> why not use one principal hdfs@SOME-REALM? that way i could distribute
> the same keytab file to all nodes which makes things a lot easier.
> thanks! koert
>

Mime
View raw message