Hi, Reply inline.
On Thu, Oct 18, 2012 at 6:08 AM, Zheng, Kai <[email protected]> wrote: > Sorry, may I resend the message with a subject, just forgot it. > > Hi, > > When Kerberos authentication is used instead of the default “simple” method, > is a Linux user account needed to run a MapReduce job for a principal? Why? It is not Kerberos that requires this but the LinuxTaskController. It is necessary for secured environments to run the MR tasks as the submitting user of the job itself (via setuid) and hence, a locally lookup-able account with an UID associated is necessary. This form of boxing in is required such that one user's task does not try to harm another's. This scenario is possible in non-secure environments, where all tasks run as the owner of the TaskTracker parent process itself. > For example, for a Kerberos principal “[email protected]”, if he > needs to run a job, is the following step 1) & 2) a must? > > 1) Create a Linux user “john” (the first component of the principal > name); > > 2) The user logins as “john” into Linux shell; Yes, for an identity "john" to be the submitter, on all tasktrackers, the "john" must exist for the LinuxTaskController to work. If you do not want this, do not use the LinuxTaskController > 3) kinit [email protected]; The kinit is only necessary at the job submission node. -- Harsh J
