Reply
Highlighted
Explorer
Posts: 19
Registered: ‎01-27-2019

Multiple CDH clusters sharing the same Domain, DNS and KDC.

[ Edited ]

Hello,

 

I'm trying to understand any trouble I may run into if I use a shared KDC with multiple instances of Cloudera.

 

Let's say I build two distinct clusters and try to share a KDC and DNS between them.  Won't the principals conflict between the two clusters for things like the HDFS principal for example?  Will I run into any other issues?

 

What is a recommended approach to installing multiple clusters on the same Domain / KDC vs separate KDC's and separate Domains?

 

Regards,

TC

Posts: 1,903
Kudos: 435
Solutions: 307
Registered: ‎07-31-2013

Re: Multiple CDH clusters sharing the same Domain, DNS and KDC.

You can build out multiple clusters sharing the same KDC and Realm, as long as their machine hostnames are distinct. A service principal takes the form of USER/HOST@REALM, so this will avoid conflicts. This is also practiced in many environments.

In this approach however, users on one cluster will immediately have authentication access to the other cluster, because the KDC Realm is common between the two. If that is not desirable, you'll need to run separate KDCs with distinct Realm names.

In the former case (same Realm, multiple clusters), DNS discovery of the Realm would not be a problem as only a single one exists. In the latter case (one Realm per cluster), you'll likely need to make use of explicit [domain_realm] section specifiers in krb5.conf to direct clients to the right KDC for each cluster's service hostnames.