Not sure Kerberos principal needs a Linux user account

["Zheng, Kai" <ka...@intel.com>]

Sorry, may I resend the message with a subject, just forgot it.

Hi,

When Kerberos authentication is used instead of the default "simple" method, is a Linux user account needed to run a MapReduce job for a principal? Why?
For example, for a Kerberos principal "john@whatever-company.com<ma...@whatever-company.com>", if he needs to run a job, is the following step 1) & 2)  a must?

1)      Create a Linux user "john" (the first component of the principal name);

2)      The user logins as "john" into Linux shell;

3)      kinit john@whatever-company.com<ma...@whatever-company.com>;

4)      run MapReduce job

Thanks.

RE: Not sure Kerberos principal needs a Linux user account

["Zheng, Kai" <ka...@intel.com>]

Got it. Thanks Harsh!

-----Original Message-----
From: Harsh J [mailto:harsh@cloudera.com] 
Sent: Thursday, October 18, 2012 12:44 PM
To: user@hadoop.apache.org
Subject: Re: Not sure Kerberos principal needs a Linux user account

Hi,

Reply inline.

On Thu, Oct 18, 2012 at 6:08 AM, Zheng, Kai <ka...@intel.com> wrote:
> Sorry, may I resend the message with a subject, just forgot it.
>
> Hi,
>
> When Kerberos authentication is used instead of the default "simple" 
> method, is a Linux user account needed to run a MapReduce job for a principal? Why?

It is not Kerberos that requires this but the LinuxTaskController. It is necessary for secured environments to run the MR tasks as the submitting user of the job itself (via setuid) and hence, a locally lookup-able account with an UID associated is necessary.

This form of boxing in is required such that one user's task does not try to harm another's. This scenario is possible in non-secure environments, where all tasks run as the owner of the TaskTracker parent process itself.

> For example, for a Kerberos principal "john@whatever-company.com", if 
> he needs to run a job, is the following step 1) & 2)  a must?
>
> 1)      Create a Linux user "john" (the first component of the principal
> name);
>
> 2)      The user logins as "john" into Linux shell;

Yes, for an identity "john" to be the submitter, on all tasktrackers, the "john" must exist for the LinuxTaskController to work. If you do not want this, do not use the LinuxTaskController

> 3)      kinit john@whatever-company.com;

The kinit is only necessary at the job submission node.

--
Harsh J

RE: Not sure Kerberos principal needs a Linux user account

["Zheng, Kai" <ka...@intel.com>]

Got it. Thanks Harsh!

-----Original Message-----
From: Harsh J [mailto:harsh@cloudera.com] 
Sent: Thursday, October 18, 2012 12:44 PM
To: user@hadoop.apache.org
Subject: Re: Not sure Kerberos principal needs a Linux user account

Hi,

Reply inline.

On Thu, Oct 18, 2012 at 6:08 AM, Zheng, Kai <ka...@intel.com> wrote:
> Sorry, may I resend the message with a subject, just forgot it.
>
> Hi,
>
> When Kerberos authentication is used instead of the default "simple" 
> method, is a Linux user account needed to run a MapReduce job for a principal? Why?

It is not Kerberos that requires this but the LinuxTaskController. It is necessary for secured environments to run the MR tasks as the submitting user of the job itself (via setuid) and hence, a locally lookup-able account with an UID associated is necessary.

This form of boxing in is required such that one user's task does not try to harm another's. This scenario is possible in non-secure environments, where all tasks run as the owner of the TaskTracker parent process itself.

> For example, for a Kerberos principal "john@whatever-company.com", if 
> he needs to run a job, is the following step 1) & 2)  a must?
>
> 1)      Create a Linux user "john" (the first component of the principal
> name);
>
> 2)      The user logins as "john" into Linux shell;

Yes, for an identity "john" to be the submitter, on all tasktrackers, the "john" must exist for the LinuxTaskController to work. If you do not want this, do not use the LinuxTaskController

> 3)      kinit john@whatever-company.com;

The kinit is only necessary at the job submission node.

--
Harsh J

RE: Not sure Kerberos principal needs a Linux user account

["Zheng, Kai" <ka...@intel.com>]

Got it. Thanks Harsh!

-----Original Message-----
From: Harsh J [mailto:harsh@cloudera.com] 
Sent: Thursday, October 18, 2012 12:44 PM
To: user@hadoop.apache.org
Subject: Re: Not sure Kerberos principal needs a Linux user account

Hi,

Reply inline.

On Thu, Oct 18, 2012 at 6:08 AM, Zheng, Kai <ka...@intel.com> wrote:
> Sorry, may I resend the message with a subject, just forgot it.
>
> Hi,
>
> When Kerberos authentication is used instead of the default "simple" 
> method, is a Linux user account needed to run a MapReduce job for a principal? Why?

It is not Kerberos that requires this but the LinuxTaskController. It is necessary for secured environments to run the MR tasks as the submitting user of the job itself (via setuid) and hence, a locally lookup-able account with an UID associated is necessary.

This form of boxing in is required such that one user's task does not try to harm another's. This scenario is possible in non-secure environments, where all tasks run as the owner of the TaskTracker parent process itself.

> For example, for a Kerberos principal "john@whatever-company.com", if 
> he needs to run a job, is the following step 1) & 2)  a must?
>
> 1)      Create a Linux user "john" (the first component of the principal
> name);
>
> 2)      The user logins as "john" into Linux shell;

Yes, for an identity "john" to be the submitter, on all tasktrackers, the "john" must exist for the LinuxTaskController to work. If you do not want this, do not use the LinuxTaskController

> 3)      kinit john@whatever-company.com;

The kinit is only necessary at the job submission node.

--
Harsh J

RE: Not sure Kerberos principal needs a Linux user account

["Zheng, Kai" <ka...@intel.com>]

Got it. Thanks Harsh!

-----Original Message-----
From: Harsh J [mailto:harsh@cloudera.com] 
Sent: Thursday, October 18, 2012 12:44 PM
To: user@hadoop.apache.org
Subject: Re: Not sure Kerberos principal needs a Linux user account

Hi,

Reply inline.

On Thu, Oct 18, 2012 at 6:08 AM, Zheng, Kai <ka...@intel.com> wrote:
> Sorry, may I resend the message with a subject, just forgot it.
>
> Hi,
>
> When Kerberos authentication is used instead of the default "simple" 
> method, is a Linux user account needed to run a MapReduce job for a principal? Why?

It is not Kerberos that requires this but the LinuxTaskController. It is necessary for secured environments to run the MR tasks as the submitting user of the job itself (via setuid) and hence, a locally lookup-able account with an UID associated is necessary.

This form of boxing in is required such that one user's task does not try to harm another's. This scenario is possible in non-secure environments, where all tasks run as the owner of the TaskTracker parent process itself.

> For example, for a Kerberos principal "john@whatever-company.com", if 
> he needs to run a job, is the following step 1) & 2)  a must?
>
> 1)      Create a Linux user "john" (the first component of the principal
> name);
>
> 2)      The user logins as "john" into Linux shell;

Yes, for an identity "john" to be the submitter, on all tasktrackers, the "john" must exist for the LinuxTaskController to work. If you do not want this, do not use the LinuxTaskController

> 3)      kinit john@whatever-company.com;

The kinit is only necessary at the job submission node.

--
Harsh J

Re: Not sure Kerberos principal needs a Linux user account

[Harsh J <ha...@cloudera.com>]

Hi,

Reply inline.

On Thu, Oct 18, 2012 at 6:08 AM, Zheng, Kai <ka...@intel.com> wrote:
> Sorry, may I resend the message with a subject, just forgot it.
>
> Hi,
>
> When Kerberos authentication is used instead of the default “simple” method,
> is a Linux user account needed to run a MapReduce job for a principal? Why?

It is not Kerberos that requires this but the LinuxTaskController. It
is necessary for secured environments to run the MR tasks as the
submitting user of the job itself (via setuid) and hence, a locally
lookup-able account with an UID associated is necessary.

This form of boxing in is required such that one user's task does not
try to harm another's. This scenario is possible in non-secure
environments, where all tasks run as the owner of the TaskTracker
parent process itself.

> For example, for a Kerberos principal “john@whatever-company.com”, if he
> needs to run a job, is the following step 1) & 2)  a must?
>
> 1)      Create a Linux user “john” (the first component of the principal
> name);
>
> 2)      The user logins as “john” into Linux shell;

Yes, for an identity "john" to be the submitter, on all tasktrackers,
the "john" must exist for the LinuxTaskController to work. If you do
not want this, do not use the LinuxTaskController

> 3)      kinit john@whatever-company.com;

The kinit is only necessary at the job submission node.

-- 
Harsh J

Re: Not sure Kerberos principal needs a Linux user account

[Harsh J <ha...@cloudera.com>]

Hi,

Reply inline.

On Thu, Oct 18, 2012 at 6:08 AM, Zheng, Kai <ka...@intel.com> wrote:
> Sorry, may I resend the message with a subject, just forgot it.
>
> Hi,
>
> When Kerberos authentication is used instead of the default “simple” method,
> is a Linux user account needed to run a MapReduce job for a principal? Why?

It is not Kerberos that requires this but the LinuxTaskController. It
is necessary for secured environments to run the MR tasks as the
submitting user of the job itself (via setuid) and hence, a locally
lookup-able account with an UID associated is necessary.

This form of boxing in is required such that one user's task does not
try to harm another's. This scenario is possible in non-secure
environments, where all tasks run as the owner of the TaskTracker
parent process itself.

> For example, for a Kerberos principal “john@whatever-company.com”, if he
> needs to run a job, is the following step 1) & 2)  a must?
>
> 1)      Create a Linux user “john” (the first component of the principal
> name);
>
> 2)      The user logins as “john” into Linux shell;

Yes, for an identity "john" to be the submitter, on all tasktrackers,
the "john" must exist for the LinuxTaskController to work. If you do
not want this, do not use the LinuxTaskController

> 3)      kinit john@whatever-company.com;

The kinit is only necessary at the job submission node.

-- 
Harsh J

Re: Not sure Kerberos principal needs a Linux user account

[Harsh J <ha...@cloudera.com>]

Hi,

Reply inline.

On Thu, Oct 18, 2012 at 6:08 AM, Zheng, Kai <ka...@intel.com> wrote:
> Sorry, may I resend the message with a subject, just forgot it.
>
> Hi,
>
> When Kerberos authentication is used instead of the default “simple” method,
> is a Linux user account needed to run a MapReduce job for a principal? Why?

It is not Kerberos that requires this but the LinuxTaskController. It
is necessary for secured environments to run the MR tasks as the
submitting user of the job itself (via setuid) and hence, a locally
lookup-able account with an UID associated is necessary.

This form of boxing in is required such that one user's task does not
try to harm another's. This scenario is possible in non-secure
environments, where all tasks run as the owner of the TaskTracker
parent process itself.

> For example, for a Kerberos principal “john@whatever-company.com”, if he
> needs to run a job, is the following step 1) & 2)  a must?
>
> 1)      Create a Linux user “john” (the first component of the principal
> name);
>
> 2)      The user logins as “john” into Linux shell;

Yes, for an identity "john" to be the submitter, on all tasktrackers,
the "john" must exist for the LinuxTaskController to work. If you do
not want this, do not use the LinuxTaskController

> 3)      kinit john@whatever-company.com;

The kinit is only necessary at the job submission node.

-- 
Harsh J

Re: Not sure Kerberos principal needs a Linux user account

[Harsh J <ha...@cloudera.com>]

Hi,

Reply inline.

On Thu, Oct 18, 2012 at 6:08 AM, Zheng, Kai <ka...@intel.com> wrote:
> Sorry, may I resend the message with a subject, just forgot it.
>
> Hi,
>
> When Kerberos authentication is used instead of the default “simple” method,
> is a Linux user account needed to run a MapReduce job for a principal? Why?

It is not Kerberos that requires this but the LinuxTaskController. It
is necessary for secured environments to run the MR tasks as the
submitting user of the job itself (via setuid) and hence, a locally
lookup-able account with an UID associated is necessary.

This form of boxing in is required such that one user's task does not
try to harm another's. This scenario is possible in non-secure
environments, where all tasks run as the owner of the TaskTracker
parent process itself.

> For example, for a Kerberos principal “john@whatever-company.com”, if he
> needs to run a job, is the following step 1) & 2)  a must?
>
> 1)      Create a Linux user “john” (the first component of the principal
> name);
>
> 2)      The user logins as “john” into Linux shell;

Yes, for an identity "john" to be the submitter, on all tasktrackers,
the "john" must exist for the LinuxTaskController to work. If you do
not want this, do not use the LinuxTaskController

> 3)      kinit john@whatever-company.com;

The kinit is only necessary at the job submission node.

-- 
Harsh J