Kerberos and LDAP for Hadoop

mustafakemal_ma · ‎04-21-2017

Hello,

I want to do below configurations because of some restriction in my environment(my LDAP software is not supported by Hadoop and I can't use AD). I tested it, everything seems OK but I am curious if I'm missing some points. May be there any problem at this configuration? Is it an enough configuration?

-I will use LDAP(and it's built-in kerberos) for ssh login to nodes

-I will integrate hadoop to MIT kerberos

-I will integrate ambari to MIT kerberos

To sum up I will not use LDAP for hadoop and ambari, I will create principals and manage roles via Ranger.

Regards.

VR46 · ‎04-24-2017

Hello @Mustafa Kemal MAYUK,

Before answering if this configuration is enough or not, I have couple of questions:

1. Which LDAP you are using that is not supported by Hadoop?

2. How are you linking your LDAP users with MIT Kerberos principals?

mustafakemal_ma · ‎04-24-2017

Hello @Vipin Rathor,

1. it is RedHat IDM. It has a "specialized" kerberos configuration and hadoop can't execute kerberos commands with it. RedHat support also says it is not supported by ambari. There is an article about ambari freeipa(free version of IDM) plugin, but it is an experimental method, doesn't work with HDP 2.5

2. I am planning to use LDAP for only system logins. Hadoop admins will switch to local users which are linked to kerberos.

aissa1 · ‎05-24-2017

As far as you create a oneway trust between your MIT Kerberos KDC and and your LDAP's Kerberos then you are fine.

Kerberos and LDAP for Hadoop

Kerberos and LDAP for Hadoop

Re: Kerberos and LDAP for Hadoop

Re: Kerberos and LDAP for Hadoop

Re: Kerberos and LDAP for Hadoop