[
https://issues.apache.org/jira/browse/AMBARI-7204?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14148139#comment-14148139
]
Eron Wright commented on AMBARI-7204:
--------------------------------------
Thanks for incorporating much of the feedback. The introduction of the
"kdc-<unique identifier>" configuration block seems to allow a multitude of
realms to be defined in krb5.conf. Accordingly a use case should be defined.
Seems we are now able to satisfy the use case I mentioned earlier, where the
managed KDC is the 'trusted' party to some external KDC. But we must clarify
how the cross-realm trust principals are specified. Would it be correct to
define 'identity-' blocks for the trust principals? At minimum a password
must be specified.
Here is an example to illustrate the use case. A user in USER realm submits a
job to a cluster in HADOOP realm, which reads data from a data storage system
in DATABASE realm. The HADOOP realm is managed. Keep in mind that trust
principals are defined as "krbtgt/TRUSTING_REALM@TRUSTED_REALM".
{code}
"configurations": [
{ "clusterenv": { "kerberos_domain": "HADOOP.EXAMPLE.COM" } },
{
"kdc-users": { "realm": "USERS.EXAMPLE.COM", "kdc_server":
"kdc.users.example.com", "admin_server": "kdc.users.example.com" }
},
{
"kdc-hadoop": { "realm": "HADOOP.EXAMPLE.COM" }
},
{
"kdc-database": { "realm": "DATABASE.EXAMPLE.COM", "kdc_server":
"kdc.database.example.com", "admin_server": "kdc.database.example.com" }
},
{
"identity-user-trust": {
"realm": "HADOOP.EXAMPLE.COM",
"principal": "krbtgt/[email protected]",
"password": "hadoop"
}
},
{
"identity-database-trust": {
"realm": "HADOOP.EXAMPLE.COM",
"principal": "krbtgt/[email protected]",
"password": "hadoop"
}
}
]
{code}
Thanks
> Ambari Automated Kerberization
> ------------------------------
>
> Key: AMBARI-7204
> URL: https://issues.apache.org/jira/browse/AMBARI-7204
> Project: Ambari
> Issue Type: Epic
> Components: ambari-server, security, stacks
> Affects Versions: 2.0.0
> Environment: Kerberos
> Reporter: Robert Levas
> Assignee: Robert Levas
> Labels: active-directory, authentication, kerberos,
> mit-kerberos, security, stack
> Fix For: 2.0.0
>
> Attachments: AmbariClusterKerberization.pdf
>
> Original Estimate: 2,016h
> Remaining Estimate: 2,016h
>
> *Problem*
> Manually installing and setting up Kerberos for a secure Hadoop cluster is
> error prone, largely manual and a potential source of configuration problems.
> It requires many steps where configuration files and credentials may need to
> be distributed across many nodes. Because of this the process is time
> consuming and lead to a high probability of user error.
> The problem is exacerbated when the cluster is modified by adding or removing
> nodes and services.
> *Solution*
> Use Ambari to secure the cluster using Kerberos. By automating the process
> of setting up Kerberos, the repetitive tasks of distributing configuration
> details and credentials can be done in parallel to the nodes within the
> cluster. This also negates most user-related errors due to the lack of
> interaction a user has with the process.
> See [^AmbariClusterKerberization.pdf] for more details.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
