Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Kerberos Configuration: 2 clusters same OU in AD

Kerberos Configuration: 2 clusters same OU in AD

Explorer

Hi everybody,

 

I've a Kerberized cluster bound to the Corporate Active Directory and all the service principals are created in a specific OU.

 

My question is, 

If i want to inizialize a new cluster (with a separate ClouderaManager) i can use the same OU that i've used for the first cluster ?

 

 

Is not recomended ? there are drawbacks ?

 

Thank you so much,

Ivan

 

1 REPLY 1

Re: Kerberos Configuration: 2 clusters same OU in AD

Super Guru

@Vinn,

 

Indeed, you can use the same subtree (OU, for example) to store the cluster credentials for several clusters.  Each Cloudera manager will create/delete the ones that apply to the hosts and services that are managed by it.  One way to distinguish each one is to use the Active Directory Account Prefix configuration in Administration --> Settings --> Kerberos.  It allows you to set an arbitrary prefix for the CN value of any entries created for that cluster.  This will let you distinguish one cluster's principal objects from the others.

 

Although the above will work, I do recommend using seperate subtrees to store each cluster's principals. It is easier to manage and allows you to more easily define security where the AD user CM uses to add/delete principals can only act on its own principal objects.

 

In summary, there isn't a functional difference for each Cluster's Cloudera Manager if you store all the clusters' principals in one place, but it might be simpler to manage the objects if they are separate.  Using the Active Directory Account prefix will also help you in distinguishing which principal object belongs to which cluster.