Return-Path: X-Original-To: apmail-hadoop-user-archive@minotaur.apache.org Delivered-To: apmail-hadoop-user-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 14FA2DB47 for ; Sun, 16 Sep 2012 03:28:27 +0000 (UTC) Received: (qmail 34234 invoked by uid 500); 16 Sep 2012 03:28:22 -0000 Delivered-To: apmail-hadoop-user-archive@hadoop.apache.org Received: (qmail 34002 invoked by uid 500); 16 Sep 2012 03:28:22 -0000 Mailing-List: contact user-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@hadoop.apache.org Delivered-To: mailing list user@hadoop.apache.org Received: (qmail 33979 invoked by uid 99); 16 Sep 2012 03:28:21 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 16 Sep 2012 03:28:21 +0000 X-ASF-Spam-Status: No, hits=-0.5 required=5.0 tests=FREEMAIL_ENVFROM_END_DIGIT,FSL_RCVD_USER,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of wang.yongzhi2009@gmail.com designates 74.125.82.176 as permitted sender) Received: from [74.125.82.176] (HELO mail-we0-f176.google.com) (74.125.82.176) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 16 Sep 2012 03:28:14 +0000 Received: by weyu3 with SMTP id u3so3885401wey.35 for ; Sat, 15 Sep 2012 20:27:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=R7fR+v9wem0Dp9kLmo7eXfpk2t7q5nqGgoUkY4SPO7E=; b=npzCjqllhFYtesiPTNxPRKvvAN3G2mv319USZon96aWq0yu7duSd5YjwhVc9mZ8Im2 /+KIY+cemV1kxEq+P3VVxJVBBZRIIk8R4CXqFxvskStZ/6a55lAHtwk0hasKc/OmrUhh /HkMDRWvHONMUr+ujPRDG4CZ9ijfZJTISspahdLjhTmbAoicO/C3sGUbqCtpjJxU1qtm OMerYpofgL//ViKoWr1vsdK6QJ7w+SH4p7u5fiW8P43Wndtw3ukPD++PDXU0lbvCTNXr uUONFsfCbL2Inh0hsyWBpOE+6fJExiDXLhieh4pNKlNoAZaJUcG33iwl81FgxdhbWDCM JdmA== MIME-Version: 1.0 Received: by 10.216.182.210 with SMTP id o60mr3549344wem.110.1347766074608; Sat, 15 Sep 2012 20:27:54 -0700 (PDT) Received: by 10.194.35.200 with HTTP; Sat, 15 Sep 2012 20:27:54 -0700 (PDT) Date: Sat, 15 Sep 2012 23:27:54 -0400 Message-ID: Subject: Hadoop Security and Kerberos From: Yongzhi Wang To: user@hadoop.apache.org Content-Type: text/plain; charset=UTF-8 Dear All, I am confused about the usage of Kerberos on Hadoop 1.0.3. I have difficulty in finding some documents to configure of the security feature of HADOOP 1.0.3. Specifically, how should I configure the Hadoop, so that I can use Kerberos? The only document that is related with this question is CDH4 Security Guide (https://ccp.cloudera.com/display/CDH4DOC/CDH4+Security+Guide), an instruction about the security configuration for CloudEra Distributed Hadoop. But I am not sure if this guide can be directly used to configure the Apache Hadoop 1.0.3. Afterall, I don't know how many differences exist between the CDH4 and Apache Hadoop 1.0.3. I read some materials published by the hadoop development team, including the documentation posted on the apache website (http://hadoop.apache.org/docs/r1.0.3/index.html) and the "Hadoop Security Design" document proposed by Yahoo! in 2009. Unfortunately, I still can not generate a clear vision after I read those documents. All my questions are derived from one basic question: Are all of the design features in "Hadoop Security Design" included in the release 1.0.3? If not, which of those features are introduced in release 1.0.3? Which features are included in the Hadoop 2.0? Which features are still not implemented? For example, the "Hadoop Security Design" document mentioned three types of tokens (Delegation Token, Block Access Token and Job Token). Did release 1.0.3 support all the three types of tokens? In the 1.0.3 document "hdfs permission guide" (http://hadoop.apache.org/docs/r1.0.3/hdfs_permissions_guide.html), it mentions that "In this release of Hadoop the identity of a client process is just whatever the host operating system says it is. For Unix-like systems, ......In the future there will be other ways of establishing user identity (think Kerberos, LDAP, and others). ......". It seems the 1.0.3 does not fully support Kerberos. If in that case, to what degree does the release 1.0.3 support Kerberos? So my question is: 1. Is there any document comparing the security feature in each release of hadoop with the "Hadoop Security Design" proposed by Yahoo! ? 2. In release 1.0.3, which component of hadoop can use Kerberos to leverage security? In order to use the Kerberos, how should I configure Hadoop? I am not very familiar with Kerberos. So if I have some misunderstanding, please feel free to point out. Thanks! Best regards, Yongzhi