I am trying to understand when the best time would be to enable Kerberos on a production platform to avoid any potential issue? After integrating Web-UI with LDAP or it is safe to Kerberize cluster and then integrate Web-UI like Ambari, Knox, Nifi, Ranger, Zeppelin and Hive with AD and enable fine grained authorization? Does it make any difference from the technical point of view? What about installing any new service or upgrading different services? Is it safer to disable Kerberos and install new service/upgrade current services and enable Kerberos again, or it is safe to upgrade current services on a Kerberized cluster?
If you are keen in having a secure hadoop cluster then you can't do that without kerberos ! Its recommended that before your deliver a production cluster it should be kerberized.
Every cluster user should be able to positively identify oneself as the one they say they are. In HDP whenever you add a new component a principal and keytab (headless or service) will be generated on the host the component is installed by default in
If you want to authenticate using AD then here is a good document AD&Kerberos .
You don't need to diable kerberos when adding a new service kerberos in the background will generate the appropriate Principal and keytab as earlier stated.
Apart from kerberos you should also deploy SSL for the Web UI components and a good practice with knox.
Hope that helps
Usually after deploying all the HDP cluster components nd testing that they function normally then enabling Ranger a very important component for authentication and authorization and maybe Atlas if needed then you can Kerberize your cluter having said that ,you should also know that even after the initial kerberization whatever component you will add later on Kerberos will automatically generate the principal and keytabs behind the scenes.
Hope that helps
@AliServices uses Windows Integrated Authentication, which includes the Kerberos and NTLM protocols for network authentication. Additionally, Windows Integrated Authentication includes the negotiate security header, which prompts the client to select Kerberos or NTLM for authentication. The client can access reports which have the appropriate permissions by using Kerberos for authentication. Servers that use Kerberos authentication can impersonate those clients and use their security context to access network resources.
You can configure Reporting Services to use both Kerberos and NTLM authentication; however this may lead to a failure to authenticate. With negotiate, if Kerberos cannot be used, the authentication method will default to NTLM. When negotiate is enabled, the Kerberos protocol is always used except when:
you may also check this:https://blogs.technet.microsoft.com/rob/2011/11/22/enabling-kerberos-authentication-for-reporting-services/
When I am trying to enable the Kerberos after all the back end setup, i am getting warning as "YARN log and local dir will be deleted and ResourceManager state will be formatted as part of Enabling/Disabling Kerberos. " what does it mean local dir and what all will be deleted and how does it related because YARN log will be deletion is acceptable but why local dir?
Can you please provide some detailed clarification on this?