You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by "Robert Levas (JIRA)" <ji...@apache.org> on 2014/10/03 17:18:33 UTC

[jira] [Commented] (AMBARI-7204) Ambari Automated Kerberization

    [ https://issues.apache.org/jira/browse/AMBARI-7204?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14158076#comment-14158076 ] 

Robert Levas commented on AMBARI-7204:
--------------------------------------

Since it is likely that any user-supplied KDC/AD administrator principals will not be properly secured due to the way Ambari handles (request) data, would it be unacceptable to declare that any KDC/AD administrative credentials are to be temporary and should be reset after any Ambari-related activity?

What I mean by "declare" is via documentation and the UI.
  

> Ambari Automated Kerberization
> ------------------------------
>
>                 Key: AMBARI-7204
>                 URL: https://issues.apache.org/jira/browse/AMBARI-7204
>             Project: Ambari
>          Issue Type: Epic
>          Components: ambari-server, security, stacks
>    Affects Versions: 2.0.0
>         Environment: Kerberos
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>              Labels: active-directory, authentication, kerberos, mit-kerberos, security, stack
>             Fix For: 2.0.0
>
>         Attachments: AmbariClusterKerberization.pdf
>
>   Original Estimate: 2,016h
>  Remaining Estimate: 2,016h
>
> *Problem*
> Manually installing and setting up Kerberos for a secure Hadoop cluster is error prone, largely manual and a potential source of configuration problems. It requires many steps where configuration files and credentials may need to be distributed across many nodes.  Because of this the process is time consuming and lead to a high probability of user error.
> The problem is exacerbated when the cluster is modified by adding or removing nodes and services.
> *Solution*
> Use Ambari to secure the cluster using Kerberos.  By automating the process of setting up Kerberos, the repetitive tasks of distributing configuration details and credentials can be done in parallel to the nodes within the cluster.  This also negates most user-related errors due to the lack of interaction a user has with the process.  
> See [^AmbariClusterKerberization.pdf] for more details.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)