Support Questions

Find answers, ask questions, and share your expertise

Can I manage separate clusters of HDP and HDF with single Kerberos KDC server?

avatar
Expert Contributor

I have independent clusters of HDF and HDP. I wonder if I can have a single KDC Admin server for both of the clusters.

If it is possible, how do I achieve that.

1 ACCEPTED SOLUTION

avatar

@Kibrom Gebrehiwot

Yes, it's possible. Please use the same Kerberos details(KDC, admin principal etc.,) which you have used for your HDP cluster while Kerberozing the HDF cluster.

For the principals which use the machine will not be a problem as each machine will have a unique name. Only you have to be careful while configuring service principals. If you are using service principal followed by cluster name(condition two clusters are having a different name) then even it won't be a problem. example: {service}-{clustername}@{realmname} i.e. hdfs-hadoopprod@Hortonworks.com.

But make sure that your KDC is installed and configured on a good machine. If that machine shut down both the clusters will be affected.

Kerberos Setup link

By configuring both the cluster with single KDC, there is no need to set up the trust between to cluster separately to transfer the data(DistCp etc.,)

Hoped this helps you.

View solution in original post

2 REPLIES 2

avatar

@Kibrom Gebrehiwot

Yes, it's possible. Please use the same Kerberos details(KDC, admin principal etc.,) which you have used for your HDP cluster while Kerberozing the HDF cluster.

For the principals which use the machine will not be a problem as each machine will have a unique name. Only you have to be careful while configuring service principals. If you are using service principal followed by cluster name(condition two clusters are having a different name) then even it won't be a problem. example: {service}-{clustername}@{realmname} i.e. hdfs-hadoopprod@Hortonworks.com.

But make sure that your KDC is installed and configured on a good machine. If that machine shut down both the clusters will be affected.

Kerberos Setup link

By configuring both the cluster with single KDC, there is no need to set up the trust between to cluster separately to transfer the data(DistCp etc.,)

Hoped this helps you.

avatar

Make sure your realm name is all uppercase characters. hdfs-hadoopprod@Hortonworks.com should really be hdfs-hadoopprod@HORTONWORKS.COM.

Also, the default settings are for the headless/user principal names to include the cluster name. If you choose to stay with this, make sure the clusters have unique names. However, you are welcome to change the unique value for these principal names to anything that avoids a collisions. If principals names are the same in multiple Ambari-managed clusters using the same KDC, one instance of Ambari will wind up changing the passwords out from under the other other instances. This will invalidate the keytab files installed on the hosts and break the clusters.