You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-user@hadoop.apache.org by Fabio Pitzolu <fa...@gr-ci.com> on 2012/06/25 17:02:59 UTC

Hadoop security

Hi community!
I have a question concerning the Hadoop security, in particular I need some
advice to configure the Kerberos authentication:

1 - I have an Active Directory domain, do I have to connect the Linux
Hadoop nodes to the AD domain?
2 - Is it possible to use a KDC to authenticate and another KDC for user /
groups authorization?

Many thanks,

Fabio

*
*

Re: Hadoop security

Posted by Owen O'Malley <om...@apache.org>.

On Mon, Jun 25, 2012 at 8:02 AM, Fabio Pitzolu <fa...@gr-ci.com>wrote:

> Hi community!
> I have a question concerning the Hadoop security, in particular I need some
> advice to configure the Kerberos authentication:
>
> 1 - I have an Active Directory domain, do I have to connect the Linux
> Hadoop nodes to the AD domain?
> 2 - Is it possible to use a KDC to authenticate and another KDC for user /
> groups authorization?
>

It is common to create a domain for the linux machines in the cluster with
the principals for the servers (nn/_HOST, jt/_HOST, dn/_HOST, tt/_HOST,
etc. where the _HOST is replaced by the full host name.) If you have an
Active Directory for the users, you need to set up a trust relationship
between the linux KDC and the ActiveDirectory. The other critical piece is
setting up the auth_to_local mapping so that the kerberos principals are
correctly mapped to unix login ids.

This is a common configuration, so you aren't even on the bleeding edge.
*grin*

-- Owen