I want to do below configurations because of some restriction in my environment(my LDAP software is not supported by Hadoop and I can't use AD). I tested it, everything seems OK but I am curious if I'm missing some points. May be there any problem at this configuration? Is it an enough configuration?
-I will use LDAP(and it's built-in kerberos) for ssh login to nodes
-I will integrate hadoop to MIT kerberos
-I will integrate ambari to MIT kerberos
To sum up I will not use LDAP for hadoop and ambari, I will create principals and manage roles via Ranger.
Hello @Mustafa Kemal MAYUK,
Before answering if this configuration is enough or not, I have couple of questions:
1. Which LDAP you are using that is not supported by Hadoop?
2. How are you linking your LDAP users with MIT Kerberos principals?
Hello @Vipin Rathor,
1. it is RedHat IDM. It has a "specialized" kerberos configuration and hadoop can't execute kerberos commands with it. RedHat support also says it is not supported by ambari. There is an article about ambari freeipa(free version of IDM) plugin, but it is an experimental method, doesn't work with HDP 2.5
2. I am planning to use LDAP for only system logins. Hadoop admins will switch to local users which are linked to kerberos.