[jira] [Commented] (AMBARI-7204) Ambari Automated Kerberization

Fri, 03 Oct 2014 08:18:55 -0700 

    [ 
https://issues.apache.org/jira/browse/AMBARI-7204?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14158076#comment-14158076
 ] 

Robert Levas commented on AMBARI-7204:
--------------------------------------

Since it is likely that any user-supplied KDC/AD administrator principals will 
not be properly secured due to the way Ambari handles (request) data, would it 
be unacceptable to declare that any KDC/AD administrative credentials are to be 
temporary and should be reset after any Ambari-related activity?

What I mean by "declare" is via documentation and the UI.
  

> Ambari Automated Kerberization
> ------------------------------
>
>                 Key: AMBARI-7204
>                 URL: https://issues.apache.org/jira/browse/AMBARI-7204
>             Project: Ambari
>          Issue Type: Epic
>          Components: ambari-server, security, stacks
>    Affects Versions: 2.0.0
>         Environment: Kerberos
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>              Labels: active-directory, authentication, kerberos, 
> mit-kerberos, security, stack
>             Fix For: 2.0.0
>
>         Attachments: AmbariClusterKerberization.pdf
>
>   Original Estimate: 2,016h
>  Remaining Estimate: 2,016h
>
> *Problem*
> Manually installing and setting up Kerberos for a secure Hadoop cluster is 
> error prone, largely manual and a potential source of configuration problems. 
> It requires many steps where configuration files and credentials may need to 
> be distributed across many nodes.  Because of this the process is time 
> consuming and lead to a high probability of user error.
> The problem is exacerbated when the cluster is modified by adding or removing 
> nodes and services.
> *Solution*
> Use Ambari to secure the cluster using Kerberos.  By automating the process 
> of setting up Kerberos, the repetitive tasks of distributing configuration 
> details and credentials can be done in parallel to the nodes within the 
> cluster.  This also negates most user-related errors due to the lack of 
> interaction a user has with the process.  
> See [^AmbariClusterKerberization.pdf] for more details.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to