Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Running Hadoop with a single Linux user and only a few kerberos principals?

Highlighted

Running Hadoop with a single Linux user and only a few kerberos principals?

Expert Contributor

Hi community,

does anybody have experience with the following scenario in Kerberos setup:

My scenario:

  • Run every Hadoop Service as the same Linux user, let’s call him myhadoopuser.
  • Create the following principals for the cluster:
    • Service Principals for all nodes:
      • myhadoopuser/_HOST
      • HTTP/_HOST
    • Shared user principal for HDFS, ambari smoketest, spark, ...
  • All of the above principals are mapped to myhadoopuser with auth_to_local


My question is: Does it work technically and are there strong reasons not do it?

Potential issues I see:

  • missing isolation among Hadoop services (anybody got an example what would be possible and why this is bad?)
  • inability to set different proxyuser privileges for different services

Thank you!

Best,

Roland