question Re: Which is better to create Hadoop accounts in LDAP/AD or locally? in Support Questions

Which is better to create Hadoop accounts in LDAP/AD or locally?

bandarusridhar1 — Wed, 25 May 2016 09:36:47 GMT

Hi,

Which is better to create Hadoop accounts in LDAP/AD or locally?

Re: Which is better to create Hadoop accounts in LDAP/AD or locally?

bsaini — Wed, 25 May 2016 09:39:31 GMT

In ref to kerbeors, it is better to create hadoop accounts locally to avoid sending hadoop internal auth requests to AD and add to the AD load. Setting up hadoop accounts locally in a KDC and setting up one way trust between KDC and AD is the way to go.

Re: Which is better to create Hadoop accounts in LDAP/AD or locally?

bandarusridhar1 — Wed, 25 May 2016 21:21:38 GMT

@bsaini

Thanks for your response. May I know which is the best practice for security reason.?

Re: Which is better to create Hadoop accounts in LDAP/AD or locally?

ravi1 — Thu, 26 May 2016 00:57:38 GMT

For ease of use, local KDC for hadoop service principals and AD for users is the best way. However, you need to secure your local KDC/Kerberos. If you can secure that, there is no reason not to use local KDC for hadoop service principals.

You may run into security policies that do not allow local kerberos instances. You may also run into policies where you won't get AD credentials that have permissions to create principals in an OU on AD. This will be required if you want ambari to directly create principals for you.

So, which one to go with is entirely dependent on company security policies.

Re: Which is better to create Hadoop accounts in LDAP/AD or locally?

bandarusridhar1 — Thu, 26 May 2016 03:18:26 GMT

@Ravi Mutyala

Thanks Ravi, If I got for local accounts like HDFS etc.., will the UID will same for all the machines with respect to that user? If I have to add a new machine how will that UID will effect?

Re: Which is better to create Hadoop accounts in LDAP/AD or locally?

ravi1 — Thu, 26 May 2016 03:53:15 GMT

Its not essential for all local accounts to have the same UID though this will help with easier maintenance. If you let ambari create your local accounts, then you may not get the same UIDs for local users across all nodes. If you want to get same UIDs, its better you manage create local users as part of your server configuration management process (like puppet/chef if you have one).

Re: Which is better to create Hadoop accounts in LDAP/AD or locally?

bandarusridhar1 — Thu, 26 May 2016 23:19:48 GMT

@Ravi Mutyala

Got you, Ravi. Hadoop will run on the name but not on the UID. Whatever that UID it might be Hadoop doesn't care in the processing/operations.

Re: Which is better to create Hadoop accounts in LDAP/AD or locally?

ravi1 — Thu, 26 May 2016 23:26:22 GMT

Yes. Thats correct.

Re: Which is better to create Hadoop accounts in LDAP/AD or locally?

bharathk — Thu, 04 Apr 2019 10:36:00 GMT

@Ravi Mutyala @Sridhar Reddy; Can we create no-login service accounts in AD? or, should they be a login accounts?

Re: Which is better to create Hadoop accounts in LDAP/AD or locally?

bandarusridhar1 — Thu, 04 Apr 2019 12:10:16 GMT

@Bharath Kumar: Yes, you can create no-login them in AD. Technically, they should be login accounts if you are planning to run some service. That may vary based on the senario