https://community.cloudera.com/t5/Archives-of-Support-Questions/Connection-between-clusters-with-and-without-Kerberos/m-p/134402#M31581 <P>Hello <A rel="user" href="https://community.cloudera.com/users/11059/tsantiago.html" nodeid="11059">@Thiago</A>. It is possible to achieve communication across secured and unsecured clusters. A common use case for this is using DistCp for transfer of data between clusters.</P><P>As mentioned in other answers, the configuration property ipc.client.fallback-to-simple-auth-allowed=true tells a secured client that it may enter a fallback unsecured mode when the unsecured server side fails to satisfy authentication. However, I recommend not setting this in core-site.xml, and instead setting it on the command line invocation specifically for the DistCp command that needs to communicate with the unsecured cluster. Setting it in core-site.xml means that all RPC connections for any application are eligible for fallback to simple authentication. This potentially expands the attack surface for man-in-the-middle attacks.</P><P>Here is an example of overriding the setting on the command line while running DistCp:</P><PRE>hadoop distcp -D ipc.client.fallback-to-simple-auth-allowed=true hdfs://nn1:8020/foo/bar hdfs://nn2:8020/bar/foo</PRE><P>The command must be run while logged into the secured cluster, not the unsecured cluster.</P><P>This is adapted from one of my prior answers:</P><P><A href="https://community.hortonworks.com/questions/294/running-distcp-between-two-cluster-one-kerberized.html" target="_blank">https://community.hortonworks.com/questions/294/running-distcp-between-two-cluster-one-kerberized.html</A></P> Sun, 12 Jun 2016 03:46:11 GMT cnauroth 2016-06-12T03:46:11Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Connection-between-clusters-with-and-without-Kerberos/m-p/134400#M31579 <P>Hi there! how are you? <span class="lia-unicode-emoji" title=":grinning_face_with_big_eyes:">😃</span></P><P>We have a HDP 2.2 cluster (without Kerberos) already on Production, and we are planning to build another HPD 2.4 cluster (with Kerberos) on the side of the first one. </P><P> So, cutting to the chase, my doubt is: Are we going to have some troubles on the attempting to connect to a kerberos enabled cluster? </P><P>Are there limitations on the communication between clusters? I mean, will a cluster be able to connect to the cluster for read/write operations, without getting kerberos errors. </P><P> As far as I know, this is not a supported configuration but I am looking for someone that has experience configuring this solution. </P><P>Thanks in advance. </P><P>Thiago.</P> Fri, 16 Sep 2022 10:24:34 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Connection-between-clusters-with-and-without-Kerberos/m-p/134400#M31579 ThiagoSantiago 2022-09-16T10:24:34Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Connection-between-clusters-with-and-without-Kerberos/m-p/134401#M31580 <A rel="user" href="https://community.cloudera.com/users/11059/tsantiago.html" nodeid="11059">@Thiago</A><P>If you are using DistCp and WebHDFS to copy data between a secure cluster and an nonsecure cluster by doing the following: </P><P><A href="https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.2/bk_Sys_Admin_Guides/content/ref-c8ffaa14-eaf8-48a6-9791-307283d5d29d.1.html" target="_blank">https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.2/bk_Sys_Admin_Guides/content/ref-c8ffaa14-eaf8-48a6-9791-307283d5d29d.1.html</A></P><OL> <LI>Set ipc.client.fallback-to-simple-auth-allowed to true in core-site.xml <EM>on the secure cluster side</EM>:<PRE>&lt;property&gt; &lt;name&gt;ipc.client.fallback-to-simple-auth-allowed&lt;/name&gt; &lt;value&gt;true&lt;/value&gt; &lt;/property&gt;</PRE> </LI> <LI>Use below commands <EM>from the secure cluster side.</EM><PRE>distcp webhdfs://nonsecure-cluster webhdfs://secure-cluster distcp webhdfs://secure-cluster webhdfs://nonsecure-cluster </PRE></LI></OL> Sun, 12 Jun 2016 00:04:54 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Connection-between-clusters-with-and-without-Kerberos/m-p/134401#M31580 jyadav 2016-06-12T00:04:54Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Connection-between-clusters-with-and-without-Kerberos/m-p/134402#M31581 <P>Hello <A rel="user" href="https://community.cloudera.com/users/11059/tsantiago.html" nodeid="11059">@Thiago</A>. It is possible to achieve communication across secured and unsecured clusters. A common use case for this is using DistCp for transfer of data between clusters.</P><P>As mentioned in other answers, the configuration property ipc.client.fallback-to-simple-auth-allowed=true tells a secured client that it may enter a fallback unsecured mode when the unsecured server side fails to satisfy authentication. However, I recommend not setting this in core-site.xml, and instead setting it on the command line invocation specifically for the DistCp command that needs to communicate with the unsecured cluster. Setting it in core-site.xml means that all RPC connections for any application are eligible for fallback to simple authentication. This potentially expands the attack surface for man-in-the-middle attacks.</P><P>Here is an example of overriding the setting on the command line while running DistCp:</P><PRE>hadoop distcp -D ipc.client.fallback-to-simple-auth-allowed=true hdfs://nn1:8020/foo/bar hdfs://nn2:8020/bar/foo</PRE><P>The command must be run while logged into the secured cluster, not the unsecured cluster.</P><P>This is adapted from one of my prior answers:</P><P><A href="https://community.hortonworks.com/questions/294/running-distcp-between-two-cluster-one-kerberized.html" target="_blank">https://community.hortonworks.com/questions/294/running-distcp-between-two-cluster-one-kerberized.html</A></P> Sun, 12 Jun 2016 03:46:11 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Connection-between-clusters-with-and-without-Kerberos/m-p/134402#M31581 cnauroth 2016-06-12T03:46:11Z