Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Connection between clusters with and without Kerberos

avatar
author-rank ThiagoSantiago author-rank
Contributor

Created on ‎06-11-2016 04:02 PM - edited ‎09-16-2022 03:24 AM

Hi there! how are you? 😃

We have a HDP 2.2 cluster (without Kerberos) already on Production, and we are planning to build another HPD 2.4 cluster (with Kerberos) on the side of the first one.

So, cutting to the chase, my doubt is: Are we going to have some troubles on the attempting to connect to a kerberos enabled cluster?

Are there limitations on the communication between clusters? I mean, will a cluster be able to connect to the cluster for read/write operations, without getting kerberos errors.

As far as I know, this is not a supported configuration but I am looking for someone that has experience configuring this solution.

Thanks in advance.

Thiago.

3,237 Views
1 ACCEPTED SOLUTION

avatar
author-rank jyadav
Super Guru

Created ‎06-11-2016 05:04 PM

@Thiago

If you are using DistCp and WebHDFS to copy data between a secure cluster and an nonsecure cluster by doing the following:

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.2/bk_Sys_Admin_Guides/content/ref-c8ffaa14-ea...

  1. Set ipc.client.fallback-to-simple-auth-allowed to true in core-site.xml on the secure cluster side:
    <property> 
  <name>ipc.client.fallback-to-simple-auth-allowed</name>
  <value>true</value> 
</property>
  2. Use below commands from the secure cluster side.
    distcp webhdfs://nonsecure-cluster webhdfs://secure-cluster 
distcp webhdfs://secure-cluster webhdfs://nonsecure-cluster

View solution in original post

2,274 Views
2 REPLIES 2

avatar
author-rank jyadav
Super Guru

Created ‎06-11-2016 05:04 PM

@Thiago

If you are using DistCp and WebHDFS to copy data between a secure cluster and an nonsecure cluster by doing the following:

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.2/bk_Sys_Admin_Guides/content/ref-c8ffaa14-ea...

  1. Set ipc.client.fallback-to-simple-auth-allowed to true in core-site.xml on the secure cluster side:
    <property> 
  <name>ipc.client.fallback-to-simple-auth-allowed</name>
  <value>true</value> 
</property>
  2. Use below commands from the secure cluster side.
    distcp webhdfs://nonsecure-cluster webhdfs://secure-cluster 
distcp webhdfs://secure-cluster webhdfs://nonsecure-cluster
2,275 Views

avatar
author-rank cnauroth
Guru

Created ‎06-11-2016 08:46 PM

Hello @Thiago. It is possible to achieve communication across secured and unsecured clusters. A common use case for this is using DistCp for transfer of data between clusters.

As mentioned in other answers, the configuration property ipc.client.fallback-to-simple-auth-allowed=true tells a secured client that it may enter a fallback unsecured mode when the unsecured server side fails to satisfy authentication. However, I recommend not setting this in core-site.xml, and instead setting it on the command line invocation specifically for the DistCp command that needs to communicate with the unsecured cluster. Setting it in core-site.xml means that all RPC connections for any application are eligible for fallback to simple authentication. This potentially expands the attack surface for man-in-the-middle attacks.

Here is an example of overriding the setting on the command line while running DistCp:

hadoop distcp -D ipc.client.fallback-to-simple-auth-allowed=true hdfs://nn1:8020/foo/bar hdfs://nn2:8020/bar/foo

The command must be run while logged into the secured cluster, not the unsecured cluster.

This is adapted from one of my prior answers:

https://community.hortonworks.com/questions/294/running-distcp-between-two-cluster-one-kerberized.ht...

2,274 Views
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements