Reply
Contributor
Posts: 29
Registered: ‎07-19-2016

Two kerberized clusters with the same Active directory

[ Edited ]

Hi,

 

Can two Kerberized CDH clusters be connected to the same Active Directory and share all of the following:

 

  1. Organizaional Unit: so that all principals for all services from both clusters will be created under the same OU
  2. Kerberos principal for Cloudera Manager: so that both clusters will use the same AD user to generate principals for the rest of the CDH services within the same OU.
  3. HDFS superuser

Our use case is that we initially had one CDH cluster, but now plan to introduce a second one as a test/QA CDH cluster and wondered whether we have to completely separate them in AD or if they can share everything. 

Expert Contributor
Posts: 127
Registered: ‎01-08-2018

Re: Two kerberized clusters with the same Active directory

IMHO, this is not very good idea. You probably have some reasons to do that.

In that case, since you share almost everything, you should consider manage both clusters from the same Cloudera Manager. In that case all of your points are fully satisfied.

Contributor
Posts: 29
Registered: ‎07-19-2016

Re: Two kerberized clusters with the same Active directory

[ Edited ]

Why do you think that this isn't a good idea?

I've actually did shared the OU, the Kerberos principal for CM and the HDFS superuser between the two clusters and still haven't seen any unwanted effects.

Both CMs use the same Kerberos principal but creates unique principals in the same OU for each service, e.g. service@host.realm.

Highlighted
Expert Contributor
Posts: 127
Registered: ‎01-08-2018

Re: Two kerberized clusters with the same Active directory

Usually, when we create test clusters, we are more elastic on user permissions. With this configuration, we are increasing the possibility, that a malicious user can take advance and gain access to data on production cluster, that he/she normally should not have.

 

Again, this is only my personal opinion. Of course you can ignore it, as you know your needs.

Announcements