[
https://issues.apache.org/jira/browse/AMBARI-10037?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14358030#comment-14358030
]
Eron Wright commented on AMBARI-10037:
---------------------------------------
To expand on HCFS interoperability, consider that numerous directories are
created in HDFS during cluster creation - e.g. /tmp - with certain permissions.
At that time, HDFS is insecure. Later, Ambari secures the cluster including
HDFS. It is assumed that the permissions on those directories still work.
With HDFS, that assumption is correct. For other HCFS implementations, maybe
not. Not all HCFS implementations map the Kerberos principal to a simple
username.
> Support creation of a secure cluster (w/ blueprints)
> ----------------------------------------------------
>
> Key: AMBARI-10037
> URL: https://issues.apache.org/jira/browse/AMBARI-10037
> Project: Ambari
> Issue Type: Improvement
> Components: ambari-server
> Reporter: Eron Wright
> Labels: api, blueprints, kerberos
>
> While it is possible to enable Kerberos on an existing cluster, it should be
> possible to create a new cluster with Kerberos enabled in a single step.
> Ideally the blueprint API could be used in that case.
> Note that any service added to an already-secured cluster is immediately
> secured. Therefore, a possible workaround is to create a cluster with no
> services, secure it, then add services. But this workaround is
> incompatible with blueprints.
> Among the benefits:
> # reduced time spent in an insecure configuration; close a potential
> vulnerability.
> # more convenient; no additional step to perform.
> # faster; fewer restarts.
> # improved interoperability with HCFS.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
