Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Cloudera Security kerberos load on Windows AD

avatar
author-rank bertbert98
Explorer

Created on ‎10-01-2013 03:19 AM - edited ‎09-16-2022 01:48 AM

 

Hi there

 

When we implement Cloudera Manager Security with kerberos.

and we connect to our windows AD for as KDC.

 

What will the impact / load be on the windows AD ?

 

can i get some information/numbers about that?

 

Thank you

2,872 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank Rolando author-rank
Expert Contributor

Created ‎10-02-2013 04:50 PM

To add to this, Cloudera Manager uses the kadmin interface to generate the service principles. Windows AD does not support the kerberos kadmin interface from my understanding. You will be better off setting up a MIT based Kdc on a linux system and then configuring cross-realm trust with your AD server.

 

-roland

View solution in original post

2,860 Views
3 REPLIES 3

avatar
author-rank Grizzly author-rank
Master Collaborator

Created ‎10-02-2013 04:35 PM

It can have significant impact.  This is why we do not document or support direct configuration against the AD server as a kerberos KDC.

 

Todd

2,865 Views
0 Kudos

avatar
author-rank Grizzly author-rank
Master Collaborator

Created ‎10-02-2013 04:45 PM

Make sure you "want" kerberos security configured.  Disable NameNode HA Auto Failover and Jobtracker HA before starting.  If HBASE is in use, you will want to review if you want to keep kerberos enabled.  Once you enable kerberos, disabling kerberos can become a complex process as you have to go into zookeeper and remove ACL's over those znode entries, while kerberos is still enabled.

 

Set up a your cluster KDC, on the CM server for example.  If you are on RHEL, Follow the steps here:

 

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Ca...

 

Make sure to enable ticket renewal in your kdc/krb4 configs right away before starting on the steps laid out in our guide to enabling hadoop security with cloudera manager

 

http://www.cloudera.com/content/cloudera-content/cloudera-docs/CM4Ent/latest/Configuring-Hadoop-Secu...

2,862 Views
0 Kudos

avatar
author-rank Rolando author-rank
Expert Contributor

Created ‎10-02-2013 04:50 PM

To add to this, Cloudera Manager uses the kadmin interface to generate the service principles. Windows AD does not support the kerberos kadmin interface from my understanding. You will be better off setting up a MIT based Kdc on a linux system and then configuring cross-realm trust with your AD server.

 

-roland

2,861 Views
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements