[jira] [Commented] (AMBARI-7204) Ambari Automated Kerberization

Mon, 08 Sep 2014 13:36:04 -0700 

    [ 
https://issues.apache.org/jira/browse/AMBARI-7204?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14126054#comment-14126054
 ] 

jun aoki commented on AMBARI-7204:
----------------------------------

[~rlevas], well documented!
Not knowing the Kerberos's best practice, I have a comment on the 2.1 Use Cases.
To simplify, how about we implement only 2.1.1, 2.1.2 and 2.1.3?
Clusters managed by Ambari always talk to the internal KDC, (basically 2.1.1 
only as far as clusters and nodes can see) and if an organization has an 
existing KDC or active directory, we also provide a plugin or middleware to 
support 2.1.2 and 2.1.3 (one way trust to external source)
This may not be needed if one way trust is a part of KDC.
For use case 2.1.4 and 2.1.5 Ambari still set up a mandatory local KDC, we can 
simply apply an idea of 2.1.2 and 2.1.3 to let it connect to the existing ones.


> Ambari Automated Kerberization
> ------------------------------
>
>                 Key: AMBARI-7204
>                 URL: https://issues.apache.org/jira/browse/AMBARI-7204
>             Project: Ambari
>          Issue Type: Epic
>          Components: ambari-server, security, stacks
>    Affects Versions: 2.0.0
>         Environment: Kerberos
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>              Labels: active-directory, authentication, kerberos, 
> mit-kerberos, security, stack
>         Attachments: AmbariClusterKerberization.pdf
>
>   Original Estimate: 2,016h
>  Remaining Estimate: 2,016h
>
> *Problem*
> Manually installing and setting up Kerberos for a secure Hadoop cluster is 
> error prone, largely manual and a potential source of configuration problems. 
> It requires many steps where configuration files and credentials may need to 
> be distributed across many nodes.  Because of this the process is time 
> consuming and lead to a high probability of user error.
> The problem is exacerbated when the cluster is modified by adding or removing 
> nodes and services.
> *Solution*
> Use Ambari to secure the cluster using Kerberos.  By automating the process 
> of setting up Kerberos, the repetitive tasks of distributing configuration 
> details and credentials can be done in parallel to the nodes within the 
> cluster.  This also negates most user-related errors due to the lack of 
> interaction a user has with the process.  
> See [^AmbariClusterKerberization.pdf] for more details.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to