Hi Aneela, IIUC, Namenode, Datanode is using _HOST pattern in their principal and needs to create separate principal for NN and DN if running in different machines. I hope the below explanation will help you.
"dfs.namenode.kerberos.principal" is typically set to nn/_HOST@REALM. Each Namenode will substitute the _HOST with its own fully qualified hostname at startup.The _HOST placeholder allows using the same configuration setting on both Active and Standby NameNodes in an HA setup Similarly "dfs.datanode.kerberos.principal" will set to dn/_HOST@REALM. DataNode will substitute _HOST with its own fully qualified hostname at startup. The _HOST placeholder allows using the same configuration setting on all DataNodes. Again, if you are using HA setup with QJM, "dfs.journalnode.kerberos.principal" will set to jn/_HOST@REALM >>>>>Do i need to copy all the kerberos configuration files like kdc.conf and krb5.conf etc on every node in default locations? Yes, you need to place these in appropriate paths in all the machines. Regards, Rakesh On Tue, Jun 28, 2016 at 3:15 AM, Aneela Saleem <[email protected]> wrote: > Hi all, > > I have configured Kerberos for single node cluster successfully. I used > this > <http://queryio.com/hadoop-big-data-docs/hadoop-big-data-admin-guide/queryio/hadoop-security-setup-kerberos.html#add_admin> > documentation > for configurations. Now i'm enabling security for multi node cluster and i > have some confusions about that. Like > > How principals would be managed for namenode and data node? because till > now i had only one principal *hdfs/_HOST@platalyticsrealm *used for both > namenode as well as for datanode? Do i need to add separate principals for > both namenode and datanode having different hostname? for example: > if my namenode hostname is *hadoop-master* then there should be principal > added *nn/hadoop-master@platalyticsrealm *(with appropriate keytab file) > if my datanode hostname is *hadoop-slave *then there should be principal > added *dn/hadoop-slave@platalyticsrealm* (with appropriate keytab file) > > Do i need to copy all the kerberos configuration files like kdc.conf and > krb5.conf etc on every node in default locations? > > A little guidance would be highly appreciated. Thanks >
