hadoop-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject RE: Not sure Kerberos principal needs a Linux user account
Date Thu, 18 Oct 2012 05:04:02 GMT
Got it. Thanks Harsh!

-----Original Message-----
From: Harsh J [mailto:harsh@cloudera.com] 
Sent: Thursday, October 18, 2012 12:44 PM
To: user@hadoop.apache.org
Subject: Re: Not sure Kerberos principal needs a Linux user account

Hi,

Reply inline.

On Thu, Oct 18, 2012 at 6:08 AM, Zheng, Kai <kai.zheng@intel.com> wrote:
> Sorry, may I resend the message with a subject, just forgot it.
>
> Hi,
>
> When Kerberos authentication is used instead of the default "simple" 
> method, is a Linux user account needed to run a MapReduce job for a principal? Why?

It is not Kerberos that requires this but the LinuxTaskController. It is necessary for secured
environments to run the MR tasks as the submitting user of the job itself (via setuid) and
hence, a locally lookup-able account with an UID associated is necessary.

This form of boxing in is required such that one user's task does not try to harm another's.
This scenario is possible in non-secure environments, where all tasks run as the owner of
the TaskTracker parent process itself.

> For example, for a Kerberos principal "john@whatever-company.com", if 
> he needs to run a job, is the following step 1) & 2)  a must?
>
> 1)      Create a Linux user "john" (the first component of the principal
> name);
>
> 2)      The user logins as "john" into Linux shell;

Yes, for an identity "john" to be the submitter, on all tasktrackers, the "john" must exist
for the LinuxTaskController to work. If you do not want this, do not use the LinuxTaskController

> 3)      kinit john@whatever-company.com;

The kinit is only necessary at the job submission node.

--
Harsh J

Mime
View raw message