[jira] [Commented] (AMBARI-7204) Ambari Automated Kerberization

[Eron Wright (JIRA)]

    [ 
https://issues.apache.org/jira/browse/AMBARI-7204?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14145134#comment-14145134
 ] 

Eron Wright  commented on AMBARI-7204:
--------------------------------------

My opinion is that the top priority should be automated configuration of 
cluster nodes, with as much flexibility as possible.     Whether the KDC is 
'managed' or 'external' is a separate issue.   If this feature is intended for 
production deployments, then issues like JCE configuration is probably more 
important than automated deployment of KDC (since HA is not covered in the 
proposal anyway).      Automatic creation of service principals and keytabs is 
clearly high priority in any case.    These suggestions are consistent with the 
central theme of fully-automated node configuration.

I called out some issues with the proposed schema, Robert will you provide an 
updated proposal?

> Ambari Automated Kerberization
> ------------------------------
>
>                 Key: AMBARI-7204
>                 URL: https://issues.apache.org/jira/browse/AMBARI-7204
>             Project: Ambari
>          Issue Type: Epic
>          Components: ambari-server, security, stacks
>    Affects Versions: 2.0.0
>         Environment: Kerberos
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>              Labels: active-directory, authentication, kerberos, 
> mit-kerberos, security, stack
>             Fix For: 2.0.0
>
>         Attachments: AmbariClusterKerberization.pdf
>
>   Original Estimate: 2,016h
>  Remaining Estimate: 2,016h
>
> *Problem*
> Manually installing and setting up Kerberos for a secure Hadoop cluster is 
> error prone, largely manual and a potential source of configuration problems. 
> It requires many steps where configuration files and credentials may need to 
> be distributed across many nodes.  Because of this the process is time 
> consuming and lead to a high probability of user error.
> The problem is exacerbated when the cluster is modified by adding or removing 
> nodes and services.
> *Solution*
> Use Ambari to secure the cluster using Kerberos.  By automating the process 
> of setting up Kerberos, the repetitive tasks of distributing configuration 
> details and credentials can be done in parallel to the nodes within the 
> cluster.  This also negates most user-related errors due to the lack of 
> interaction a user has with the process.  
> See [^AmbariClusterKerberization.pdf] for more details.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)