Multiple CDH clusters sharing the same Domain, DNS and KDC.

cjervis · ‎01-27-2019

Hello,

I'm trying to understand any trouble I may run into if I use a shared KDC with multiple instances of Cloudera.

Let's say I build two distinct clusters and try to share a KDC and DNS between them. Won't the principals conflict between the two clusters for things like the HDFS principal for example? Will I run into any other issues?

What is a recommended approach to installing multiple clusters on the same Domain / KDC vs separate KDC's and separate Domains?

Regards,

TC

Harsh J · ‎03-06-2019

You can build out multiple clusters sharing the same KDC and Realm, as long as their machine hostnames are distinct. A service principal takes the form of USER/HOST@REALM, so this will avoid conflicts. This is also practiced in many environments.

In this approach however, users on one cluster will immediately have authentication access to the other cluster, because the KDC Realm is common between the two. If that is not desirable, you'll need to run separate KDCs with distinct Realm names.

In the former case (same Realm, multiple clusters), DNS discovery of the Realm would not be a problem as only a single one exists. In the latter case (one Realm per cluster), you'll likely need to make use of explicit [domain_realm] section specifiers in krb5.conf to direct clients to the right KDC for each cluster's service hostnames.