You are viewing a plain text version of this content. The canonical link for it is here.

Posted to mapreduce-user@hadoop.apache.org by Koert Kuipers <ko...@tresata.com> on 2014/02/03 00:14:19 UTC

kerberos principals per node necessary?

i
s it necessary to create a kerberos principal for hdfs on every node, as
in hdfs/some-host@SOME-REALM?
why not use one principal hdfs@SOME-REALM? that way i could distribute the
same keytab file to all nodes which makes things a lot easier.
thanks! koert

Re: kerberos principals per node necessary?

Posted by Koert Kuipers <ko...@tresata.com>.

interesting! thanks for that information, very helpful


On Mon, Feb 3, 2014 at 6:04 PM, Benoy Antony <ba...@gmail.com> wrote:

> Its a bad idea, Koert.
> When multiple nodes are using the same principal (in this case all the
> datanodes ) ,  it will result in server assuming that its a replay attack
> and result in denial of service.
>
> More details here :
>
> http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/4.2.1/CDH4-Security-Guide/cdh4sg_topic_17.html#concept_hfv_zqw_wj_unique_1
>
> and here
> http://web.mit.edu/kerberos/krb5-devel/doc/basic/rcache_def.html
>
> benoy
>
>
> On Sun, Feb 2, 2014 at 3:14 PM, Koert Kuipers <ko...@tresata.com> wrote:
>
>> i
>> s it necessary to create a kerberos principal for hdfs on every node, as
>> in hdfs/some-host@SOME-REALM?
>>  why not use one principal hdfs@SOME-REALM? that way i could distribute
>> the same keytab file to all nodes which makes things a lot easier.
>> thanks! koert
>>
>
>

Re: kerberos principals per node necessary?

Posted by Koert Kuipers <ko...@tresata.com>.

interesting! thanks for that information, very helpful


On Mon, Feb 3, 2014 at 6:04 PM, Benoy Antony <ba...@gmail.com> wrote:

> Its a bad idea, Koert.
> When multiple nodes are using the same principal (in this case all the
> datanodes ) ,  it will result in server assuming that its a replay attack
> and result in denial of service.
>
> More details here :
>
> http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/4.2.1/CDH4-Security-Guide/cdh4sg_topic_17.html#concept_hfv_zqw_wj_unique_1
>
> and here
> http://web.mit.edu/kerberos/krb5-devel/doc/basic/rcache_def.html
>
> benoy
>
>
> On Sun, Feb 2, 2014 at 3:14 PM, Koert Kuipers <ko...@tresata.com> wrote:
>
>> i
>> s it necessary to create a kerberos principal for hdfs on every node, as
>> in hdfs/some-host@SOME-REALM?
>>  why not use one principal hdfs@SOME-REALM? that way i could distribute
>> the same keytab file to all nodes which makes things a lot easier.
>> thanks! koert
>>
>
>

Re: kerberos principals per node necessary?

Posted by Koert Kuipers <ko...@tresata.com>.

interesting! thanks for that information, very helpful


On Mon, Feb 3, 2014 at 6:04 PM, Benoy Antony <ba...@gmail.com> wrote:

> Its a bad idea, Koert.
> When multiple nodes are using the same principal (in this case all the
> datanodes ) ,  it will result in server assuming that its a replay attack
> and result in denial of service.
>
> More details here :
>
> http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/4.2.1/CDH4-Security-Guide/cdh4sg_topic_17.html#concept_hfv_zqw_wj_unique_1
>
> and here
> http://web.mit.edu/kerberos/krb5-devel/doc/basic/rcache_def.html
>
> benoy
>
>
> On Sun, Feb 2, 2014 at 3:14 PM, Koert Kuipers <ko...@tresata.com> wrote:
>
>> i
>> s it necessary to create a kerberos principal for hdfs on every node, as
>> in hdfs/some-host@SOME-REALM?
>>  why not use one principal hdfs@SOME-REALM? that way i could distribute
>> the same keytab file to all nodes which makes things a lot easier.
>> thanks! koert
>>
>
>

Re: kerberos principals per node necessary?

Posted by Koert Kuipers <ko...@tresata.com>.

interesting! thanks for that information, very helpful


On Mon, Feb 3, 2014 at 6:04 PM, Benoy Antony <ba...@gmail.com> wrote:

> Its a bad idea, Koert.
> When multiple nodes are using the same principal (in this case all the
> datanodes ) ,  it will result in server assuming that its a replay attack
> and result in denial of service.
>
> More details here :
>
> http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/4.2.1/CDH4-Security-Guide/cdh4sg_topic_17.html#concept_hfv_zqw_wj_unique_1
>
> and here
> http://web.mit.edu/kerberos/krb5-devel/doc/basic/rcache_def.html
>
> benoy
>
>
> On Sun, Feb 2, 2014 at 3:14 PM, Koert Kuipers <ko...@tresata.com> wrote:
>
>> i
>> s it necessary to create a kerberos principal for hdfs on every node, as
>> in hdfs/some-host@SOME-REALM?
>>  why not use one principal hdfs@SOME-REALM? that way i could distribute
>> the same keytab file to all nodes which makes things a lot easier.
>> thanks! koert
>>
>
>

Re: kerberos principals per node necessary?

Posted by Benoy Antony <ba...@gmail.com>.

Its a bad idea, Koert.
When multiple nodes are using the same principal (in this case all the
datanodes ) ,  it will result in server assuming that its a replay attack
and result in denial of service.

More details here :
http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/4.2.1/CDH4-Security-Guide/cdh4sg_topic_17.html#concept_hfv_zqw_wj_unique_1

and here
http://web.mit.edu/kerberos/krb5-devel/doc/basic/rcache_def.html

benoy

On Sun, Feb 2, 2014 at 3:14 PM, Koert Kuipers <ko...@tresata.com> wrote:

> i
> s it necessary to create a kerberos principal for hdfs on every node, as
> in hdfs/some-host@SOME-REALM?
> why not use one principal hdfs@SOME-REALM? that way i could distribute
> the same keytab file to all nodes which makes things a lot easier.
> thanks! koert
>

Re: kerberos principals per node necessary?

Posted by Benoy Antony <ba...@gmail.com>.

Its a bad idea, Koert.
When multiple nodes are using the same principal (in this case all the
datanodes ) ,  it will result in server assuming that its a replay attack
and result in denial of service.

More details here :
http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/4.2.1/CDH4-Security-Guide/cdh4sg_topic_17.html#concept_hfv_zqw_wj_unique_1

and here
http://web.mit.edu/kerberos/krb5-devel/doc/basic/rcache_def.html

benoy

On Sun, Feb 2, 2014 at 3:14 PM, Koert Kuipers <ko...@tresata.com> wrote:

> i
> s it necessary to create a kerberos principal for hdfs on every node, as
> in hdfs/some-host@SOME-REALM?
> why not use one principal hdfs@SOME-REALM? that way i could distribute
> the same keytab file to all nodes which makes things a lot easier.
> thanks! koert
>

Re: kerberos principals per node necessary?

Posted by Vinod Kumar Vavilapalli <vi...@apache.org>.

For helping manage this, Hadoop lets you specify principles of the format hdfs/_HOST@SOME-REALM. Here _HOST is a special string that Hadoop interprets and replaces it with the local hostname. You need to create principles per host though.

+Vinod

On Feb 2, 2014, at 3:14 PM, Koert Kuipers <ko...@tresata.com> wrote:

> is it necessary to create a kerberos principal for hdfs on every node, as in hdfs/some-host@SOME-REALM?
> why not use one principal hdfs@SOME-REALM? that way i could distribute the same keytab file to all nodes which makes things a lot easier.
> thanks! koert


-- 
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to 
which it is addressed and may contain information that is confidential, 
privileged and exempt from disclosure under applicable law. If the reader 
of this message is not the intended recipient, you are hereby notified that 
any printing, copying, dissemination, distribution, disclosure or 
forwarding of this communication is strictly prohibited. If you have 
received this communication in error, please contact the sender immediately 
and delete it from your system. Thank You.

Re: kerberos principals per node necessary?

Posted by Benoy Antony <ba...@gmail.com>.

Its a bad idea, Koert.
When multiple nodes are using the same principal (in this case all the
datanodes ) ,  it will result in server assuming that its a replay attack
and result in denial of service.

More details here :
http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/4.2.1/CDH4-Security-Guide/cdh4sg_topic_17.html#concept_hfv_zqw_wj_unique_1

and here
http://web.mit.edu/kerberos/krb5-devel/doc/basic/rcache_def.html

benoy

On Sun, Feb 2, 2014 at 3:14 PM, Koert Kuipers <ko...@tresata.com> wrote:

> i
> s it necessary to create a kerberos principal for hdfs on every node, as
> in hdfs/some-host@SOME-REALM?
> why not use one principal hdfs@SOME-REALM? that way i could distribute
> the same keytab file to all nodes which makes things a lot easier.
> thanks! koert
>

Re: kerberos principals per node necessary?

Posted by Vinod Kumar Vavilapalli <vi...@apache.org>.

For helping manage this, Hadoop lets you specify principles of the format hdfs/_HOST@SOME-REALM. Here _HOST is a special string that Hadoop interprets and replaces it with the local hostname. You need to create principles per host though.

+Vinod

On Feb 2, 2014, at 3:14 PM, Koert Kuipers <ko...@tresata.com> wrote:

> is it necessary to create a kerberos principal for hdfs on every node, as in hdfs/some-host@SOME-REALM?
> why not use one principal hdfs@SOME-REALM? that way i could distribute the same keytab file to all nodes which makes things a lot easier.
> thanks! koert


-- 
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to 
which it is addressed and may contain information that is confidential, 
privileged and exempt from disclosure under applicable law. If the reader 
of this message is not the intended recipient, you are hereby notified that 
any printing, copying, dissemination, distribution, disclosure or 
forwarding of this communication is strictly prohibited. If you have 
received this communication in error, please contact the sender immediately 
and delete it from your system. Thank You.

Re: kerberos principals per node necessary?

Posted by Vinod Kumar Vavilapalli <vi...@apache.org>.

For helping manage this, Hadoop lets you specify principles of the format hdfs/_HOST@SOME-REALM. Here _HOST is a special string that Hadoop interprets and replaces it with the local hostname. You need to create principles per host though.

+Vinod

On Feb 2, 2014, at 3:14 PM, Koert Kuipers <ko...@tresata.com> wrote:

> is it necessary to create a kerberos principal for hdfs on every node, as in hdfs/some-host@SOME-REALM?
> why not use one principal hdfs@SOME-REALM? that way i could distribute the same keytab file to all nodes which makes things a lot easier.
> thanks! koert


-- 
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to 
which it is addressed and may contain information that is confidential, 
privileged and exempt from disclosure under applicable law. If the reader 
of this message is not the intended recipient, you are hereby notified that 
any printing, copying, dissemination, distribution, disclosure or 
forwarding of this communication is strictly prohibited. If you have 
received this communication in error, please contact the sender immediately 
and delete it from your system. Thank You.

Re: kerberos principals per node necessary?

Posted by Benoy Antony <ba...@gmail.com>.

Its a bad idea, Koert.
When multiple nodes are using the same principal (in this case all the
datanodes ) ,  it will result in server assuming that its a replay attack
and result in denial of service.

More details here :
http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/4.2.1/CDH4-Security-Guide/cdh4sg_topic_17.html#concept_hfv_zqw_wj_unique_1

and here
http://web.mit.edu/kerberos/krb5-devel/doc/basic/rcache_def.html

benoy

On Sun, Feb 2, 2014 at 3:14 PM, Koert Kuipers <ko...@tresata.com> wrote:

> i
> s it necessary to create a kerberos principal for hdfs on every node, as
> in hdfs/some-host@SOME-REALM?
> why not use one principal hdfs@SOME-REALM? that way i could distribute
> the same keytab file to all nodes which makes things a lot easier.
> thanks! koert
>

Re: kerberos principals per node necessary?

Posted by Vinod Kumar Vavilapalli <vi...@apache.org>.

For helping manage this, Hadoop lets you specify principles of the format hdfs/_HOST@SOME-REALM. Here _HOST is a special string that Hadoop interprets and replaces it with the local hostname. You need to create principles per host though.

+Vinod

On Feb 2, 2014, at 3:14 PM, Koert Kuipers <ko...@tresata.com> wrote:

> is it necessary to create a kerberos principal for hdfs on every node, as in hdfs/some-host@SOME-REALM?
> why not use one principal hdfs@SOME-REALM? that way i could distribute the same keytab file to all nodes which makes things a lot easier.
> thanks! koert


-- 
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to 
which it is addressed and may contain information that is confidential, 
privileged and exempt from disclosure under applicable law. If the reader 
of this message is not the intended recipient, you are hereby notified that 
any printing, copying, dissemination, distribution, disclosure or 
forwarding of this communication is strictly prohibited. If you have 
received this communication in error, please contact the sender immediately 
and delete it from your system. Thank You.