hadoop-mapreduce-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Koert Kuipers <ko...@tresata.com>
Subject Re: kerberos principals per node necessary?
Date Tue, 04 Feb 2014 04:34:07 GMT
interesting! thanks for that information, very helpful


On Mon, Feb 3, 2014 at 6:04 PM, Benoy Antony <bantony@gmail.com> wrote:

> Its a bad idea, Koert.
> When multiple nodes are using the same principal (in this case all the
> datanodes ) ,  it will result in server assuming that its a replay attack
> and result in denial of service.
>
> More details here :
>
> http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/4.2.1/CDH4-Security-Guide/cdh4sg_topic_17.html#concept_hfv_zqw_wj_unique_1
>
> and here
> http://web.mit.edu/kerberos/krb5-devel/doc/basic/rcache_def.html
>
> benoy
>
>
> On Sun, Feb 2, 2014 at 3:14 PM, Koert Kuipers <koert@tresata.com> wrote:
>
>> i
>> s it necessary to create a kerberos principal for hdfs on every node, as
>> in hdfs/some-host@SOME-REALM?
>>  why not use one principal hdfs@SOME-REALM? that way i could distribute
>> the same keytab file to all nodes which makes things a lot easier.
>> thanks! koert
>>
>
>

Mime
View raw message