Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Keberos Implementation Approach: is it recommended to have KDC on one of hadoop nodes or on separate server in production environment

avatar
Expert Contributor

Hi Hadoop Experts,

can you please advise Keberos Implementation Approach: is it recommended to have KDC on one of hadoop nodes or on separate server in production environment

i am trying to search on hortonworks website but only got https://community.hortonworks.com/articles/17336/choosing-kerberos-approach-for-hadoop-cluster-in-a....

Please share your suggestions and ideas for production environment

1 ACCEPTED SOLUTION

avatar
Master Guru

If you can afford it, then definitely on a separate server, to avoid potential bad influence from busy Hadoop master components. It is also recommended to have at least one slave KDC which can become master KDC if needed. You can find details here. KDCs can run on VMs.

View solution in original post

5 REPLIES 5

avatar
Master Guru

If you can afford it, then definitely on a separate server, to avoid potential bad influence from busy Hadoop master components. It is also recommended to have at least one slave KDC which can become master KDC if needed. You can find details here. KDCs can run on VMs.

avatar
Expert Contributor

Thanks a lot @Predrag , this is what i was looking for

avatar
Contributor

The KDC should be on a separate machine because you will eventually have to turn it over to computer security since it is a source of authority for the principals. They should not let the HDP admins authorize their own accounts.

avatar
Rising Star

For a general enterprise scenario I'd recommend approaches b and c. Depending on the security administrators, they will agree to one of these. In general it is preferable to reduce the number of sources of identity within an organization to allow for easily managed, secure control. I would very strongly advise against the stand-alone KDC approach in any real production environment.

avatar
Expert Contributor

Hi Eric, Thanks for answer can you please clarify bit more

do you agree with having KDC master on separate server in production scenario or not ?

do you see any issues having KDC slave incase master KDC goes down ?

Thanks

Ripunjay