Home | About | Sematext search-lucene.com search-hadoop.com
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB
 Search Hadoop and all its subprojects:

Switch to Threaded View
MapReduce >> mail # user >> Hadoop Security - TaskTracker and Active Directory


Copy link to this message
-
Re: Hadoop Security - TaskTracker and Active Directory
The Cluster KDC should be set up to trust the Active Directory KDC (cross-realm trust in the kerberos lingo). This handles the cases of user authentication when a user talks to a server in the cluster directly (e.g., user->namenode).
The GID and other user attributes are usually stored in ldap. The cluster nodes are set up to talk to the cluster specific ldap server.

On Sep 30, 2011, at 7:19 PM, bigbibguy father wrote:

> We are planning to enable secure Hadoop using Kerberos.
>
> Our users reside in the active directory. We read that there are two options  to use Kerberos for securing Hadoop.
>
> 1) You run Kerberos on machine local to the cluster and create service principals here
> 2) Use Active Directory itself as the kerberos KDC and create service principals also in Active Directory.
>
> It seems cloudera and industry in general recommends option1 of running a local KDC for authernticating service principals.
> https://ccp.cloudera.com/display/CDHDOC/Integrating+Hadoop+Security+with+Active+Directory
>
>  I read that the tasktrackers run tasks as the user who submitted the user. In that case , doesn't the TaskTracker nodes need to talk to the Active Directory to get the user details like gid etc ?
>
> So does this mean that every node (tasktrackers, job tracker and namenode)  will be interacting with the Active Directory anyway ?
>
> If so, option 1 doesn't seem to be superior since each node has to talk to two kdc's - local kerberos for authenticating service principals, Active Directory to get the user details and group information .
>
> Please correct me if I am wrong in my assumptions.
>
> Thanks and Regards,
>
> BBG

NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB