In order to deploy a secured multi tenant Cloudera cluster. we planned to use Kerberos as the main authenticate mechanism. We have planned to deploy many projects/applications on this cluster.
In multi-tenant context, we exploring different options to organize users by groups/projects in Kerberos.
We have identified to possibilities :
- Option 1 : 1 project = 1 realm containing all user participating to a project.
Option 2 : 1 realm for all projects on the same platform (1 platform = 1 realm) + a rule to distinguish the user associated to a project through their principals.
Syntax : username/project@REALM.com
Example : firstname.lastname@example.org
Have you any feedback about the best practices of using Kerberos in multi-tenant context ?
PS. if you have another options don't be afraid to share it