On 5 Jul 2016, at 20:43, Benjamin Ross wrote:
Hey David,
Thanks. Yep - that's the easy part. Let me clarify.
Consider that we have:
1. A Hadoop cluster running without Kerberos
2. A number of services contacting that hadoop cluster and retrieving
data from it using WebHDFS.
Clearly the services don't need to login to WebHDFS using credentials
because the cluster isn't kerberized just yet.
Now what happens when we enable Kerberos on the cluster? We still
need to allow those services to contact the cluster without
credentials until we can upgrade them. Otherwise we'll have
downtime. So what can we do?
As a possible solution, is there any way to allow unprotected access
from just those machines until we can upgrade them?
I doubt you can enable Kerberos without downtime anyway :) But apart
from using Knox as mentioned by Larry (didn't use it so couldn't comment
on that and wether it would support some sort of fallback allowing from
near-zero downtime), I guess your apps will need support for both
Kerberized and non-Kerberized HTTP, which you can drive with some master
switch from something appropriate, be it DB or Zookeeper or whatever. In
that case working on the client classes/apps and making them support
both would be preliminary to anything else. But I may be missing the
point again?
David
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
