On Mon, Jun 25, 2012 at 8:02 AM, Fabio Pitzolu <[EMAIL PROTECTED]>wrote:
> Hi community!
> I have a question concerning the Hadoop security, in particular I need some
> advice to configure the Kerberos authentication:
> 1 - I have an Active Directory domain, do I have to connect the Linux
> Hadoop nodes to the AD domain?
> 2 - Is it possible to use a KDC to authenticate and another KDC for user /
> groups authorization?
It is common to create a domain for the linux machines in the cluster with
the principals for the servers (nn/_HOST, jt/_HOST, dn/_HOST, tt/_HOST,
etc. where the _HOST is replaced by the full host name.) If you have an
Active Directory for the users, you need to set up a trust relationship
between the linux KDC and the ActiveDirectory. The other critical piece is
setting up the auth_to_local mapping so that the kerberos principals are
correctly mapped to unix login ids.
This is a common configuration, so you aren't even on the bleeding edge.