You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@bigtop.apache.org by "kevinshin (Jira)" <ji...@apache.org> on 2022/09/21 10:10:00 UTC

[jira] [Commented] (BIGTOP-1431) Determine future of Kerberos and ID Support in Bigtop

    [ https://issues.apache.org/jira/browse/BIGTOP-1431?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17607653#comment-17607653 ] 

kevinshin commented on BIGTOP-1431:
-----------------------------------

In addition to FreeIPA , how about [apache kerby|https://directory.apache.org/kerby/]

> Determine future of Kerberos and ID Support in Bigtop
> -----------------------------------------------------
>
>                 Key: BIGTOP-1431
>                 URL: https://issues.apache.org/jira/browse/BIGTOP-1431
>             Project: Bigtop
>          Issue Type: Task
>          Components: documentation
>    Affects Versions: backlog
>            Reporter: jay vyas
>            Assignee: Olaf Flebbe
>            Priority: Major
>             Fix For: backlog
>
>
> We might need to address kerberization and identity management at some point in bigtop...
> -  A concrete reason is that the new hadoop versions require kerberos for use of the LinuxContainerExecutor (alterantive to default yarn container executor which just spins up a new JVM - LCE actually logs in as the user submitting the job , and runs with user permissions at the posix level).
> - Non HDFS FileSystems require posix identities, not just user name strings like HDFS.  So to securely support HDFS alternatives in yarn jobs, linux containers are required.
> - Another reason is that enterprises and so on are moving towards first class ID management with hadoop.  We can leverage existing identity management tooling to make this a reality in bigtop as well, .
> [~plinnell] and [~cos] I think FreeIPA makes it super easy to use DNS + LDAP + Kerberos together.    And I think in the enterprise, We will see increasing number of folks wanting to use it in their hadoop workloads.     We've already seen how hbase DNS can be tricky anyways.  So, I actually think a FreeIPA enabled bigtop distro might be a pretty valuable artifact for the community.    
> Now... Cos has mentioned some other intriguing ideas around YARN as well.  In any case, lets hash out how Identities and kerberos should be managed , if at all, in bigtop.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)