On Mon, Jun 25, 2012 at 8:02 AM, Fabio Pitzolu <fabio.pitz...@gr-ci.com>wrote:
> Hi community! > I have a question concerning the Hadoop security, in particular I need some > advice to configure the Kerberos authentication: > > 1 - I have an Active Directory domain, do I have to connect the Linux > Hadoop nodes to the AD domain? > 2 - Is it possible to use a KDC to authenticate and another KDC for user / > groups authorization? > It is common to create a domain for the linux machines in the cluster with the principals for the servers (nn/_HOST, jt/_HOST, dn/_HOST, tt/_HOST, etc. where the _HOST is replaced by the full host name.) If you have an Active Directory for the users, you need to set up a trust relationship between the linux KDC and the ActiveDirectory. The other critical piece is setting up the auth_to_local mapping so that the kerberos principals are correctly mapped to unix login ids. This is a common configuration, so you aren't even on the bleeding edge. *grin* -- Owen
