You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@bigtop.apache.org by "Olaf Flebbe (JIRA)" <ji...@apache.org> on 2015/10/08 17:06:26 UTC

[jira] [Commented] (BIGTOP-1431) Determine future of Kerberos and ID Support in BigTop

    [ https://issues.apache.org/jira/browse/BIGTOP-1431?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14948797#comment-14948797 ] 

Olaf Flebbe commented on BIGTOP-1431:
-------------------------------------

Right now there is a puppet module which can act as a plugin replacement into current bigtop.

https://github.com/edgester/puppet-module-kerberos

We should not implement a binding to a specfic AA Service, we can rely on some enterprise management to configure that service - if needed - and configure hadoop to act as a AA client . That missing link is provided by "edgester"'s puppet module for MIT Kerberos.

Will add some confluence wiki's pages ...



> Determine future of Kerberos and ID Support in BigTop
> -----------------------------------------------------
>
>                 Key: BIGTOP-1431
>                 URL: https://issues.apache.org/jira/browse/BIGTOP-1431
>             Project: Bigtop
>          Issue Type: Task
>          Components: documentation
>    Affects Versions: backlog
>            Reporter: jay vyas
>            Assignee: Olaf Flebbe
>             Fix For: 1.1.0
>
>
> We might need to address kerberization and identity management at some point in bigtop...
> -  A concrete reason is that the new hadoop versions require kerberos for use of the LinuxContainerExecutor (alterantive to default yarn container executor which just spins up a new JVM - LCE actually logs in as the user submitting the job , and runs with user permissions at the posix level).
> - Non HDFS FileSystems require posix identities, not just user name strings like HDFS.  So to securely support HDFS alternatives in yarn jobs, linux containers are required.
> - Another reason is that enterprises and so on are moving towards first class ID management with hadoop.  We can leverage existing identity management tooling to make this a reality in bigtop as well, .
> [~plinnell] and [~cos] I think FreeIPA makes it super easy to use DNS + LDAP + Kerberos together.    And I think in the enterprise, We will see increasing number of folks wanting to use it in their hadoop workloads.     We've already seen how hbase DNS can be tricky anyways.  So, I actually think a FreeIPA enabled bigtop distro might be a pretty valuable artifact for the community.    
> Now... Cos has mentioned some other intriguing ideas around YARN as well.  In any case, lets hash out how Identities and kerberos should be managed , if at all, in bigtop.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)