First I'd like to say I'm not a Hadoop admin but an SA, so I have little to no experience with Hadoop except for maintaining the OS the software lives on. The question I have is in regards to kerberos authentication and how to set it up properly so it works. The previous installer of Cloudera integrated the kerberos keytab for the service account into the main system keytab. And now that we have switched vendors for AD integration for our Linux services we've run into issues with the authentication as the vendor defaults to maintain the system keytab. We have been told by the AD integration vendor the Hadoop service account keytab should be in it's own separate keytab file so when the AD password for the computer account changes it won't effect Hadoop.
Our Hadoop admins prefer to use the system keytab as the code used within the Hadoop jobs reference the system keytab. So changing how it's done is apparently a big task. Since I'm not well versed in Hadoop I don't know what to look for in the documentation to point them to say "This is how it's done". And I don't have access to support so I'm doing a round about way to get the proper information.
Would someone be so kind as to provide guidance as to where I can find the documentation to show them how it should be done? Or educate me that they are doing it correctly?
AD/LDAP integration can be shared with hive, impala, hue, then anyone just has account in AD/LDAP, they can login hive, impala,hue.
kerberos is for Hadoop security , no any connection to AD/LDAP integration. hive/impala can auth with user/password and kerberos, basically we use user/password. but for program like base, spark, map reduce must auth with kerberos.
so anyone who want run program on yarn or any other like hbase etc.. should have keytab.
what I meant is AD/LDAP won't effect kerberos user .
the below is the basic guide for you:
1. install MIT kerberos server.
2. open kerberos auth on hadoop
3. integrate Hadoop with AD/LDAP(basically for hue, hive, impala)
anyone who want use Hadoop must have account on os layer. for example, one developer tell you he want to use Hadoop, you have some work to do:
1) add account in AD/LDAP
2) create os user in every node manager node. otherwise it will show errors like can't find xxx user when run yarn program
3) create kerberos keytab for the user if these guy want to use yarn, hbase, spark etc..