05-24-2018 04:17 AM - edited 05-24-2018 04:18 AM
Can two Kerberized CDH clusters be connected to the same Active Directory and share all of the following:
Our use case is that we initially had one CDH cluster, but now plan to introduce a second one as a test/QA CDH cluster and wondered whether we have to completely separate them in AD or if they can share everything.
05-28-2018 01:48 AM
IMHO, this is not very good idea. You probably have some reasons to do that.
In that case, since you share almost everything, you should consider manage both clusters from the same Cloudera Manager. In that case all of your points are fully satisfied.
05-28-2018 02:04 AM - edited 05-28-2018 02:05 AM
Why do you think that this isn't a good idea?
I've actually did shared the OU, the Kerberos principal for CM and the HDFS superuser between the two clusters and still haven't seen any unwanted effects.
Both CMs use the same Kerberos principal but creates unique principals in the same OU for each service, e.g. firstname.lastname@example.org.
05-28-2018 02:50 AM
Usually, when we create test clusters, we are more elastic on user permissions. With this configuration, we are increasing the possibility, that a malicious user can take advance and gain access to data on production cluster, that he/she normally should not have.
Again, this is only my personal opinion. Of course you can ignore it, as you know your needs.