hadoop-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Harsh J <ha...@cloudera.com>
Subject Re: Not sure Kerberos principal needs a Linux user account
Date Thu, 18 Oct 2012 04:43:31 GMT
Hi,

Reply inline.

On Thu, Oct 18, 2012 at 6:08 AM, Zheng, Kai <kai.zheng@intel.com> wrote:
> Sorry, may I resend the message with a subject, just forgot it.
>
> Hi,
>
> When Kerberos authentication is used instead of the default “simple” method,
> is a Linux user account needed to run a MapReduce job for a principal? Why?

It is not Kerberos that requires this but the LinuxTaskController. It
is necessary for secured environments to run the MR tasks as the
submitting user of the job itself (via setuid) and hence, a locally
lookup-able account with an UID associated is necessary.

This form of boxing in is required such that one user's task does not
try to harm another's. This scenario is possible in non-secure
environments, where all tasks run as the owner of the TaskTracker
parent process itself.

> For example, for a Kerberos principal “john@whatever-company.com”, if he
> needs to run a job, is the following step 1) & 2)  a must?
>
> 1)      Create a Linux user “john” (the first component of the principal
> name);
>
> 2)      The user logins as “john” into Linux shell;

Yes, for an identity "john" to be the submitter, on all tasktrackers,
the "john" must exist for the LinuxTaskController to work. If you do
not want this, do not use the LinuxTaskController

> 3)      kinit john@whatever-company.com;

The kinit is only necessary at the job submission node.

-- 
Harsh J

Mime
View raw message