Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Is it recommended to use an existing KDC on an AD Domain Controller or is it recommended to setup a new MIT KDC on a HDP host

avatar
author-rank sbomma
Super Collaborator

Created on ‎07-29-2016 04:46 PM - edited ‎09-16-2022 03:32 AM

 
2,865 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank rlevas
Guru

Created ‎07-29-2016 05:03 PM

I would recommend setting up an MIT KDC for the cluster's service identities. If there are users in an Active Directory that need access to the services on the cluster, then a trust relationship between the cluster's KDC and the Active Directory can be setup to give those users access.

This configuration lends itself to spreading the Kerberos-related workload across different KDCs - the service-related Kerberos workload remains local to the cluster while the user-related Kerberos workload is sent to the Active Directory. This reduces the load on the Active Directory; and depending on the network configuration, this can contain much of the network traffic to be local to the cluster.

View solution in original post

2,265 Views
8 REPLIES 8

avatar
author-rank myoung
Super Guru

Created ‎07-29-2016 05:02 PM

The answer to this question depends on the customers needs. In many cases, you would use an existing Microsoft AD implementation as the end-users are most likely using that to access the network anyway.

You can implement a dedicated KDC, but it will add complexity.

2,265 Views

avatar
author-rank rlevas
Guru

Created ‎07-29-2016 05:03 PM

I would recommend setting up an MIT KDC for the cluster's service identities. If there are users in an Active Directory that need access to the services on the cluster, then a trust relationship between the cluster's KDC and the Active Directory can be setup to give those users access.

This configuration lends itself to spreading the Kerberos-related workload across different KDCs - the service-related Kerberos workload remains local to the cluster while the user-related Kerberos workload is sent to the Active Directory. This reduces the load on the Active Directory; and depending on the network configuration, this can contain much of the network traffic to be local to the cluster.

2,266 Views

avatar
author-rank myoung
Super Guru

Created ‎07-29-2016 05:11 PM

This makes a lot of sense!

2,265 Views
0 Kudos

avatar
author-rank sbomma
Super Collaborator

Created ‎07-29-2016 05:12 PM

Thanks Robert, This makes sense. Does it increase the complexity for the install? Also what versions are recommended, is there any issues with versions..

2,265 Views
0 Kudos

avatar
author-rank rlevas
Guru

Created ‎07-29-2016 05:38 PM

@Satish Bomma

I think the installation for this is not too complex. The MIT KDC install easy with potentially little to do - depending on your security needs. Once the KDC is installed, and admin user needs to be created and you are done. Here is a script for Centos that installs a KDC - install-kdcsh.txt

Then the trust relationship need to be created. This is about 3 command line calls on the Active Directory host and 1 on the MIT KDC host.

Finally Ambari need to know about the Active Directory as well as the local KDC. This is done by adding a _realm_ block to the krb5.conf template and adding the Active Directory's realm to a text box labeled "Additional Realms" while enabling Kerberos.

Preview file
2 KB
2,265 Views
0 Kudos

avatar
author-rank sbomma
Super Collaborator

Created ‎07-29-2016 05:39 PM

@Robert Levas

Thank you so much.

2,265 Views
0 Kudos

avatar
author-rank ehanson
Rising Star

Created ‎03-24-2017 02:15 PM

@Robert Levas

Would you recommend setting up the MIT KDC on it's own dedicated VM or on one of the masters? What kind of resources does it require?

2,265 Views
0 Kudos

avatar
author-rank rlevas
Guru

Created ‎03-24-2017 03:26 PM

@Eric Hanson

I don't have an official opinion on this. It really depends on the available resources.

If the cluster is really large, then it may be beneficial to put the KDC on its own VM; but for a small cluster (<15 hosts), that may be a bit overkill and the least utilized host for the KDC maybe sufficient. That said, the workload could be spread out by placing a one or more slave KDCs around the cluster, There is also the option to separate the kadmin and krb5kdc processes to different hosts - though this is more for security concerns than for performance or resource concerns.

One thing to keep in mind. For Ambari server versions 2.5.0 and below, it appears that the cluster does an abnormal amount of kinit's. This is currently being looked into. So far, it is unclear whether this is a bug, expected behavior, or something in between. The effect of this issue on a small cluster is minimal and not noticeable over a short period of time. On a large cluster (say 900 nodes), the Kerberos log files tend to get large quickly. Performance of the KDC on such a cluster, even when the KDC exists on a host with Hadoop services, does not appear to be affected. The main issue is merely log file size. However, if an issue is found and fixed, less kinit's couldn't hurt. 🙂

2,265 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements