[jira] [Commented] (AMBARI-6432) FreeIPA Support in Ambari

Fri, 18 Jul 2014 08:31:30 -0700 

    [ 
https://issues.apache.org/jira/browse/AMBARI-6432?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14066441#comment-14066441
 ] 

jay vyas commented on AMBARI-6432:
----------------------------------

*I've just gotten some feedback from the FreeIPA folks, summarizing their 
thoughts inline here:*

a) Authentication into Ambari
http://www.freeipa.org/page/Web_App_Authentication

b) Security and identity of the stack
FreeIPA can provide
- centralised management  for service accounts and their keys and certificates, 
and they
- smart proxying 
- use FreeIPA as hub for management system to connect + hosts that would be 
clients/hadoop slaves
See http://theforeman.org/manuals/1.5/index.html#4.3.11FreeIPARealm as an 
example + 
http://projects.theforeman.org/projects/foreman/wiki/RealmJoinIntegration

The next steps for this task would be to draw all the connections between the 
components (masters, slaves) and how they communicate.

> FreeIPA Support in Ambari
> -------------------------
>
>                 Key: AMBARI-6432
>                 URL: https://issues.apache.org/jira/browse/AMBARI-6432
>             Project: Ambari
>          Issue Type: Improvement
>          Components: controller
>            Reporter: jay vyas
>
> FreeIPA Is a powerful tool for unifying identity, kerberos credentials, 
> across a cluster.
> A great value add for ambari would be to provide support for using FreeIPA to 
> kerberize services.  This would allow for 
> 1) better HCFS interoperability, because first class GID/UID is critical for 
> certain file systems (GlusterFS, Lustre, and any other file system which uses 
> kernel / FUSE apis for determining identity)
> 2) better enterprise interoperability.  Because of the fact that FreeIPA 
> makes it easy to interop with different identity solutions (like active 
> directory), it would make ambari easier to adopt for various enterprises.
> 3) broadens ambaris scope.  Now ambari could also allow people to setup the 
> users of their clusters, and at least some of the security features of their 
> clusters, all from one interface (no more manual handling of TGTs and such - 
> it could all be done quite easily via the ambari UI which could make calls to 
> underlying FreeIPA clients).



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to