Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Implementing SSSD on a kerberized CDH 5.14 cluster

Labels:
avatar
author-rank SnehasishRSC
Contributor

Created on ‎08-22-2019 05:10 AM - last edited on ‎08-22-2019 11:48 AM by Community Manager Community Manager

Hello Community,

I have a CDH 5.14 cluster hosted on EC2 machines which is kerberized with Active Directory and have Sentry for authorization of databases. 

I want to use SSSD to secure my Linux hosts (RHEL 7.x) with Active Directory. 

I have been going through this post but there are few queries which are bothering me to proceed forwards:

1. There are service-users (Hive, YARN, etc.) in AD that are already created during Kerberization of my cluster. So, if I go ahead and implement SSSD, then will these pre-existing service-users be able to communicate?

2. If something goes wrong will I be able to rollback? If yes, how?

 

1,300 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank mcginnda
Contributor

Created ‎08-22-2019 08:39 AM

1. I'm not sure I understand what you mean by communicate. When SSSD is first started, it will sync all of the users and groups in AD to the local node, so any existing users will be able to log in, and have the correct groups ready for them (assuming configuration is set up properly).

2. Rolling back SSSD is possible but troublesome. It would consist of stopping the service and uninstalling it from the node. I'm not sure if the users and groups would still be on the node, but you would need to uninstall that as well. There may be some other pieces left around, but none that I would expect to cause any differences, unless you were to try to install SSSD again.

View solution in original post

1,284 Views
0 Kudos
1 REPLY 1

avatar
author-rank mcginnda
Contributor

Created ‎08-22-2019 08:39 AM

1. I'm not sure I understand what you mean by communicate. When SSSD is first started, it will sync all of the users and groups in AD to the local node, so any existing users will be able to log in, and have the correct groups ready for them (assuming configuration is set up properly).

2. Rolling back SSSD is possible but troublesome. It would consist of stopping the service and uninstalling it from the node. I'm not sure if the users and groups would still be on the node, but you would need to uninstall that as well. There may be some other pieces left around, but none that I would expect to cause any differences, unless you were to try to install SSSD again.

1,285 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements