[jira] [Commented] (AMBARI-7204) Ambari Automated Kerberization

Tue, 09 Sep 2014 07:46:00 -0700 

    [ 
https://issues.apache.org/jira/browse/AMBARI-7204?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14127046#comment-14127046
 ] 

Robert Levas commented on AMBARI-7204:
--------------------------------------

[~jaoki], Thanks!

I would be happy to support only use cases 2.1.1 (_Ambari installs and manages 
stand-alone MIT KDC_), 2.1.2 (_Ambari installs and manages MIT KDC with one-way 
trust to external KDC_), and 2.1.3 (_Ambari installs and manages MIT KDC with 
one-way trust to external Active Directory_) and I think that 2.1.2. and 2.1.3 
should be best practice scenarios.  However, I know that there are several 
instances out in the wild where 2.1.5 (_Ambari uses existing Active Directory_) 
is in play so we we will need to implement it... and if we implement 2.1.5, 
implementing 2.1.4 (_Ambari uses existing MIT KDC_) is not a far stretch since 
it is a simpler scenario. 

On top of this, looking at [~eronwright]'s comments, the use cases may become 
even more complex. 

> Ambari Automated Kerberization
> ------------------------------
>
>                 Key: AMBARI-7204
>                 URL: https://issues.apache.org/jira/browse/AMBARI-7204
>             Project: Ambari
>          Issue Type: Epic
>          Components: ambari-server, security, stacks
>    Affects Versions: 2.0.0
>         Environment: Kerberos
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>              Labels: active-directory, authentication, kerberos, 
> mit-kerberos, security, stack
>         Attachments: AmbariClusterKerberization.pdf
>
>   Original Estimate: 2,016h
>  Remaining Estimate: 2,016h
>
> *Problem*
> Manually installing and setting up Kerberos for a secure Hadoop cluster is 
> error prone, largely manual and a potential source of configuration problems. 
> It requires many steps where configuration files and credentials may need to 
> be distributed across many nodes.  Because of this the process is time 
> consuming and lead to a high probability of user error.
> The problem is exacerbated when the cluster is modified by adding or removing 
> nodes and services.
> *Solution*
> Use Ambari to secure the cluster using Kerberos.  By automating the process 
> of setting up Kerberos, the repetitive tasks of distributing configuration 
> details and credentials can be done in parallel to the nodes within the 
> cluster.  This also negates most user-related errors due to the lack of 
> interaction a user has with the process.  
> See [^AmbariClusterKerberization.pdf] for more details.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to