Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

Kerberos Configuration: 2 clusters same OU in AD

Labels:
Vinn
Explorer

Created on ‎02-06-2018 07:10 AM - last edited on ‎02-06-2018 08:48 AM by Community Manager Community Manager

Hi everybody,

 

I've a Kerberized cluster bound to the Corporate Active Directory and all the service principals are created in a specific OU.

 

My question is, 

If i want to inizialize a new cluster (with a separate ClouderaManager) i can use the same OU that i've used for the first cluster ?

 

 

Is not recomended ? there are drawbacks ?

 

Thank you so much,

Ivan

 

778 Views
0 Kudos
1 REPLY 1

bgooley
Super Guru

Created ‎02-06-2018 08:58 AM

@Vinn,

 

Indeed, you can use the same subtree (OU, for example) to store the cluster credentials for several clusters.  Each Cloudera manager will create/delete the ones that apply to the hosts and services that are managed by it.  One way to distinguish each one is to use the Active Directory Account Prefix configuration in Administration --> Settings --> Kerberos.  It allows you to set an arbitrary prefix for the CN value of any entries created for that cluster.  This will let you distinguish one cluster's principal objects from the others.

 

Although the above will work, I do recommend using seperate subtrees to store each cluster's principals. It is easier to manage and allows you to more easily define security where the AD user CM uses to add/delete principals can only act on its own principal objects.

 

In summary, there isn't a functional difference for each Cluster's Cloudera Manager if you store all the clusters' principals in one place, but it might be simpler to manage the objects if they are separate.  Using the Active Directory Account prefix will also help you in distinguishing which principal object belongs to which cluster.

 

 

769 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
What's New @ Cloudera
Cloudera Operational Database (COD) UI supports creating a smaller cluster using a predefined Data Lake template
What's New @ Cloudera
Cloudera Operational Database (COD) supports scaling up the clusters vertically
Product Announcements
CDP Public Cloud: April 2023 Release Summary
What's New @ Cloudera
Cloudera Machine Learning launches "Add Data" feature to simplify data ingestion
What's New @ Cloudera
Simplify Data Access with Custom Connection Support in CML
View More Announcements