Created 04-24-2018 07:28 PM
Hi,
I am planning to set a kerberize zone in HDP and HDF clusterusing Ambari, there are some highlights which I would like to know from you all. As I am new to this zone.
1. What are kerberize zone advantages. ?
2. Which services should i considered to keep in that zone?
3. Which approach is good to use other the this.?
4. If it's HA and Prod environment what are best practices.?
5. How to implement and configure if I am planning to add ranger poorly?
6. If it is integrated with HDP and HDF cluster what would be administraror good practice?
7. Study materials if any in HDP?
Thanks all.
Created 04-24-2018 08:48 PM
Please find below answer to your question though I didn't understand exactly what you meant!!!
1. What are kerberize zone advantages. ?
You can't Kerberize a zone but a cluster, but you can create an encryption zone those are 2 different things. The primary design goal of Kerberos is to eliminate the transmission of unencrypted passwords across the network. If used properly, Kerberos effectively eliminates the threat that packet sniffers would otherwise pose on a network.
2. Which services should i considered to keep in that zone?
Again some confusing here. An encryption zone is a special directory whose contents will be transparently encrypted upon write and transparently decrypted upon read.You can store for example HR salary scheme, or just about any document you deem needs protection You either Kerberize the whole cluster or not,
3. Which approach is good to use other the this.?
You need Kerberos if you're serious about security. AD/LDAP will cover only a fraction of components, many other systems will require Kerberos for identity. One can still keep users in the LDAP, but the first line in the infrastructure will be Kerberos. Kerberos is the defacto standard for securing your hadoop environment couple with SSL/SASL and the traditional firewalls and physical protection (Caged nodes in a datacenter)
4. If it's HA and Prod environment what are best practices.?
HA and prod I don't see the link. HA is basically having a redundant system which is fault tolerant. And Prod environment is self-explanatory
5. How to implement and configure if I am planning to add ranger poorly?
For authentication, there is no alternative for Kerberos. Once your cluster is Kerberized, you can make it easier for certain access path by using AD/LDAP. Example, access to HS2 via AD/LDAP authentication or accessing various services using Knox Authorization can be done via Ranger or using the natively supported ACL. Except for Storm and Kafka, having Kerberos is not mandatory. Without reliable authentication, authorization and auditing is meaningless. Common use case as yours: User A logs into the system with his AD credentials, HDFS or Hive ACL's kicks in for authorization.
6. If it is integrated with HDP and HDF cluster what would be administraror good practice?
Now HDP & HDF are both managed by Ambari so that sort of simplifies so admin task for more info
7. Study materials if any in HDP?
Created 04-24-2018 08:48 PM
Please find below answer to your question though I didn't understand exactly what you meant!!!
1. What are kerberize zone advantages. ?
You can't Kerberize a zone but a cluster, but you can create an encryption zone those are 2 different things. The primary design goal of Kerberos is to eliminate the transmission of unencrypted passwords across the network. If used properly, Kerberos effectively eliminates the threat that packet sniffers would otherwise pose on a network.
2. Which services should i considered to keep in that zone?
Again some confusing here. An encryption zone is a special directory whose contents will be transparently encrypted upon write and transparently decrypted upon read.You can store for example HR salary scheme, or just about any document you deem needs protection You either Kerberize the whole cluster or not,
3. Which approach is good to use other the this.?
You need Kerberos if you're serious about security. AD/LDAP will cover only a fraction of components, many other systems will require Kerberos for identity. One can still keep users in the LDAP, but the first line in the infrastructure will be Kerberos. Kerberos is the defacto standard for securing your hadoop environment couple with SSL/SASL and the traditional firewalls and physical protection (Caged nodes in a datacenter)
4. If it's HA and Prod environment what are best practices.?
HA and prod I don't see the link. HA is basically having a redundant system which is fault tolerant. And Prod environment is self-explanatory
5. How to implement and configure if I am planning to add ranger poorly?
For authentication, there is no alternative for Kerberos. Once your cluster is Kerberized, you can make it easier for certain access path by using AD/LDAP. Example, access to HS2 via AD/LDAP authentication or accessing various services using Knox Authorization can be done via Ranger or using the natively supported ACL. Except for Storm and Kafka, having Kerberos is not mandatory. Without reliable authentication, authorization and auditing is meaningless. Common use case as yours: User A logs into the system with his AD credentials, HDFS or Hive ACL's kicks in for authorization.
6. If it is integrated with HDP and HDF cluster what would be administraror good practice?
Now HDP & HDF are both managed by Ambari so that sort of simplifies so admin task for more info
7. Study materials if any in HDP?