Support Questions

Find answers, ask questions, and share your expertise

Which is better to create Hadoop accounts in LDAP/AD or locally?

avatar

Hi,

Which is better to create Hadoop accounts in LDAP/AD or locally?

1 ACCEPTED SOLUTION

avatar
@Sri Bandaru

In ref to kerbeors, it is better to create hadoop accounts locally to avoid sending hadoop internal auth requests to AD and add to the AD load. Setting up hadoop accounts locally in a KDC and setting up one way trust between KDC and AD is the way to go.

View solution in original post

9 REPLIES 9

avatar
@Sri Bandaru

In ref to kerbeors, it is better to create hadoop accounts locally to avoid sending hadoop internal auth requests to AD and add to the AD load. Setting up hadoop accounts locally in a KDC and setting up one way trust between KDC and AD is the way to go.

avatar

@bsaini

Thanks for your response. May I know which is the best practice for security reason.?

avatar
Guru

For ease of use, local KDC for hadoop service principals and AD for users is the best way. However, you need to secure your local KDC/Kerberos. If you can secure that, there is no reason not to use local KDC for hadoop service principals.

You may run into security policies that do not allow local kerberos instances. You may also run into policies where you won't get AD credentials that have permissions to create principals in an OU on AD. This will be required if you want ambari to directly create principals for you.

So, which one to go with is entirely dependent on company security policies.

avatar

@Ravi Mutyala

Thanks Ravi, If I got for local accounts like HDFS etc.., will the UID will same for all the machines with respect to that user? If I have to add a new machine how will that UID will effect?

avatar
Guru

Its not essential for all local accounts to have the same UID though this will help with easier maintenance. If you let ambari create your local accounts, then you may not get the same UIDs for local users across all nodes. If you want to get same UIDs, its better you manage create local users as part of your server configuration management process (like puppet/chef if you have one).

avatar

@Ravi Mutyala

Got you, Ravi. Hadoop will run on the name but not on the UID. Whatever that UID it might be Hadoop doesn't care in the processing/operations.

avatar
Guru

Yes. Thats correct.

avatar
New Contributor

@Ravi Mutyala @Sridhar Reddy; Can we create no-login service accounts in AD? or, should they be a login accounts?

avatar

@Bharath Kumar: Yes, you can create no-login them in AD. Technically, they should be login accounts if you are planning to run some service. That may vary based on the senario