Created on 06-19-2016 04:16 PM - edited 09-16-2022 03:26 AM
Hi Hadoop Experts,
can you please advise Keberos Implementation Approach: is it recommended to have KDC on one of hadoop nodes or on separate server in production environment
i am trying to search on hortonworks website but only got https://community.hortonworks.com/articles/17336/choosing-kerberos-approach-for-hadoop-cluster-in-a....
Please share your suggestions and ideas for production environment
Created 06-19-2016 09:54 PM
If you can afford it, then definitely on a separate server, to avoid potential bad influence from busy Hadoop master components. It is also recommended to have at least one slave KDC which can become master KDC if needed. You can find details here. KDCs can run on VMs.
Created 06-19-2016 09:54 PM
If you can afford it, then definitely on a separate server, to avoid potential bad influence from busy Hadoop master components. It is also recommended to have at least one slave KDC which can become master KDC if needed. You can find details here. KDCs can run on VMs.
Created 06-20-2016 02:03 AM
Thanks a lot @Predrag , this is what i was looking for
Created 06-20-2016 12:50 AM
The KDC should be on a separate machine because you will eventually have to turn it over to computer security since it is a source of authority for the principals. They should not let the HDP admins authorize their own accounts.
Created 06-20-2016 01:03 PM
For a general enterprise scenario I'd recommend approaches b and c. Depending on the security administrators, they will agree to one of these. In general it is preferable to reduce the number of sources of identity within an organization to allow for easily managed, secure control. I would very strongly advise against the stand-alone KDC approach in any real production environment.
Created 06-20-2016 01:42 PM
Hi Eric, Thanks for answer can you please clarify bit more
do you agree with having KDC master on separate server in production scenario or not ?
do you see any issues having KDC slave incase master KDC goes down ?
Thanks
Ripunjay