Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Keberos Implementation Approach: is it recommended to have KDC on one of hadoop nodes or on separate server in production environment

Solved Go to solution

Keberos Implementation Approach: is it recommended to have KDC on one of hadoop nodes or on separate server in production environment

Expert Contributor

Hi Hadoop Experts,

can you please advise Keberos Implementation Approach: is it recommended to have KDC on one of hadoop nodes or on separate server in production environment

i am trying to search on hortonworks website but only got https://community.hortonworks.com/articles/17336/choosing-kerberos-approach-for-hadoop-cluster-in-a....

Please share your suggestions and ideas for production environment

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Keberos Implementation Approach: is it recommended to have KDC on one of hadoop nodes or on separate server in production environment

If you can afford it, then definitely on a separate server, to avoid potential bad influence from busy Hadoop master components. It is also recommended to have at least one slave KDC which can become master KDC if needed. You can find details here. KDCs can run on VMs.

View solution in original post

5 REPLIES 5
Highlighted

Re: Keberos Implementation Approach: is it recommended to have KDC on one of hadoop nodes or on separate server in production environment

If you can afford it, then definitely on a separate server, to avoid potential bad influence from busy Hadoop master components. It is also recommended to have at least one slave KDC which can become master KDC if needed. You can find details here. KDCs can run on VMs.

View solution in original post

Highlighted

Re: Keberos Implementation Approach: is it recommended to have KDC on one of hadoop nodes or on separate server in production environment

Expert Contributor

Thanks a lot @Predrag , this is what i was looking for

Highlighted

Re: Keberos Implementation Approach: is it recommended to have KDC on one of hadoop nodes or on separate server in production environment

Cloudera Employee

The KDC should be on a separate machine because you will eventually have to turn it over to computer security since it is a source of authority for the principals. They should not let the HDP admins authorize their own accounts.

Highlighted

Re: Keberos Implementation Approach: is it recommended to have KDC on one of hadoop nodes or on separate server in production environment

Contributor

For a general enterprise scenario I'd recommend approaches b and c. Depending on the security administrators, they will agree to one of these. In general it is preferable to reduce the number of sources of identity within an organization to allow for easily managed, secure control. I would very strongly advise against the stand-alone KDC approach in any real production environment.

Highlighted

Re: Keberos Implementation Approach: is it recommended to have KDC on one of hadoop nodes or on separate server in production environment

Expert Contributor

Hi Eric, Thanks for answer can you please clarify bit more

do you agree with having KDC master on separate server in production scenario or not ?

do you see any issues having KDC slave incase master KDC goes down ?

Thanks

Ripunjay

Don't have an account?
Coming from Hortonworks? Activate your account here