Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

IPA Server deployment across multiple environments - Best Practices

avatar
author-rank mqadri
Rising Star

Created on ‎08-18-2016 01:07 PM - edited ‎09-16-2022 03:35 AM

I have a customer who’s going through a hardware upgrade cycle on their clusters and looking for guidance regarding the use of IPA Server for dns, ldap, Kerberos in multiple environments. The client has multiple HDP clusters....Dev, QA, Prod. Wondering if it's better to set up a separate IPA server for each environment, of if one IPA can be used in a multi-tenancy mode across environments/realms.

Curious to know how most of HDP customers handle this. Do they set up separate domains for each environment...e.g. dev.client.com, qa.client.com, prod.client.com that map to different Kerberos realms?? Seems simpler to have one realm managed by an IPA server.

Multi-tenancy documentation for IPA Server seems pretty sparse. Have found only one source, and it covers version 3 and we are using version 4 as it has some fixes related to setting up trusts with Active Directory. If IPA multi-tenancy works would that be an alternate worth looking into?

2,691 Views
1 ACCEPTED SOLUTION

avatar
author-rank emaxwell author-rank
Guru

Created ‎08-23-2016 07:10 PM

@mqadri

FreeIPA does not currently support Multi-tenancy. There was an article written with regards to what was required in V3 to support this, but it has not been implemented as of 2015. The Request for Enhancement has been open for 4 years or so, but development has been in the direction of IPA to IPA trusts (at least as of Feb 2015).

The version of IPA included with RHEL/CentOS 6 is 3.0.0:

[root@sandbox resources]# yum info ipa-server
Loaded plugins: fastestmirror, priorities
Loading mirror speeds from cached hostfile
 * base: mirror.team-cymru.org
 * epel: mirrors.mit.edu
 * extras: ftp.usf.edu
 * updates: dallas.tx.mirror.xygenhosting.com
Available Packages
Name        : ipa-server
Arch        : x86_64
Version     : 3.0.0
Release     : 50.el6.centos.1
Size        : 1.1 M
Repo        : base
Summary     : The IPA authentication server
URL         : http://www.freeipa.org/
License     : GPLv3+
Description : IPA is an integrated solution to provide centrally managed Identity (machine,
            : user, virtual machines, groups, authentication credentials), Policy
            : (configuration settings, access control information) and Audit (events,
            : logs, analysis thereof). If you are installing an IPA server you need
            : to install this package (in other words, most people should NOT install
            : this package).

The version included with RHEL/CentOS 7 is version 4.2, but it still does not seem to support multi-tenancy per the above links.

View solution in original post

1,925 Views
2 REPLIES 2

avatar
author-rank emaxwell author-rank
Guru

Created ‎08-23-2016 07:10 PM

@mqadri

FreeIPA does not currently support Multi-tenancy. There was an article written with regards to what was required in V3 to support this, but it has not been implemented as of 2015. The Request for Enhancement has been open for 4 years or so, but development has been in the direction of IPA to IPA trusts (at least as of Feb 2015).

The version of IPA included with RHEL/CentOS 6 is 3.0.0:

[root@sandbox resources]# yum info ipa-server
Loaded plugins: fastestmirror, priorities
Loading mirror speeds from cached hostfile
 * base: mirror.team-cymru.org
 * epel: mirrors.mit.edu
 * extras: ftp.usf.edu
 * updates: dallas.tx.mirror.xygenhosting.com
Available Packages
Name        : ipa-server
Arch        : x86_64
Version     : 3.0.0
Release     : 50.el6.centos.1
Size        : 1.1 M
Repo        : base
Summary     : The IPA authentication server
URL         : http://www.freeipa.org/
License     : GPLv3+
Description : IPA is an integrated solution to provide centrally managed Identity (machine,
            : user, virtual machines, groups, authentication credentials), Policy
            : (configuration settings, access control information) and Audit (events,
            : logs, analysis thereof). If you are installing an IPA server you need
            : to install this package (in other words, most people should NOT install
            : this package).

The version included with RHEL/CentOS 7 is version 4.2, but it still does not seem to support multi-tenancy per the above links.

1,926 Views

avatar
Former Member

Created ‎08-26-2016 06:52 PM

What came up in a customer setting was the suggestion to not even use multitenancy. Instead, set up one shared realm so users can authenticate on all clusters. Then, assign access privileges using Ranger.

In older HDP versions this would create the problem of sharing the service principals and technical user accounts across clusters. I believe this has largely been solved in HDP 2.3.

1,925 Views
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements