Re: kerberos principals per node necessary?
For helping manage this, Hadoop lets you specify principles of the format hdfs/_HOST@SOME-REALM. Here _HOST is a special string that Hadoop interprets and replaces it with the local hostname. You need to create principles per host though. +Vinod On Feb 2, 2014, at 3:14 PM, Koert Kuipers ko...@tresata.com wrote: is it necessary to create a kerberos principal for hdfs on every node, as in hdfs/some-host@SOME-REALM? why not use one principal hdfs@SOME-REALM? that way i could distribute the same keytab file to all nodes which makes things a lot easier. thanks! koert -- CONFIDENTIALITY NOTICE NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You. signature.asc Description: Message signed with OpenPGP using GPGMail
Re: kerberos principals per node necessary?
interesting! thanks for that information, very helpful On Mon, Feb 3, 2014 at 6:04 PM, Benoy Antony bant...@gmail.com wrote: Its a bad idea, Koert. When multiple nodes are using the same principal (in this case all the datanodes ) , it will result in server assuming that its a replay attack and result in denial of service. More details here : http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/4.2.1/CDH4-Security-Guide/cdh4sg_topic_17.html#concept_hfv_zqw_wj_unique_1 and here http://web.mit.edu/kerberos/krb5-devel/doc/basic/rcache_def.html benoy On Sun, Feb 2, 2014 at 3:14 PM, Koert Kuipers ko...@tresata.com wrote: i s it necessary to create a kerberos principal for hdfs on every node, as in hdfs/some-host@SOME-REALM? why not use one principal hdfs@SOME-REALM? that way i could distribute the same keytab file to all nodes which makes things a lot easier. thanks! koert
kerberos principals per node necessary?
i s it necessary to create a kerberos principal for hdfs on every node, as in hdfs/some-host@SOME-REALM? why not use one principal hdfs@SOME-REALM? that way i could distribute the same keytab file to all nodes which makes things a lot easier. thanks! koert