@mkataria As of HDP 2.4, Zeppelin is only in Tech Preview and does not support Kerberos. Integration with Kerberos for Zeppelin will be available in the upcoming HDP 2.5 release due out very soon. ... View more

@Jason Hue HDFS only allows one write or append to a file at a time. Allowing concurrent writes would mean that the order of bytes in the file would be random. Even if the two appends write to different blocks, how would you determine which block comes first in the file? It's a difficult problem to solve that has not been done in HDFS. ... View more

@Saikrishna Tarapareddy The attribute to correlate on needs to be present in the flowfile for the Merge processor to use it. If you are using FetchFile to get the file, you can add an attribute into that processor using the filename or the substring of the file name. Then it will be present in the flowfile for subsequent processors to use. ... View more

@Satya KONDAPALLI Fundamentally, Spark is a data processing engine while NiFi is a data movement tool. Spark is intended for doing complex computations on large amounts of data, combining data sets, applying analytical models, etc. Spark Streaming provides micro batch processing of data to bring this processing closer to real time. NiFi is intended to collect data and move it to the place for it to be processed with some certain modifications or computations on the data as it flows to its final destination. ... View more

@Steen Manniche You are correct that Solr/Ranger is only capable of collection level security at this time. This Solr Wiki page describes a couple of options for adding document level security to Solr (e.g. ManifoldCF) ... View more

@Kaliyug Antagonist Hue requires Python 2.6 while RHEL/CentOS 7 uses Python 2.7. This is why Hue is not supported on RHEL/CentOS 7. There are alternatives in Ambari for most of the functionality provided by Hue. Amber includes views for Hive access, HDFS File management, YARN queue management, Pig scripting, and Tez job management. The only functionality of Hue that isn't covered by Ambari Views is the Oozie Workflow creation. This functionality is coming soon in Ambari. Please see the Ambari Views documentation for more information. If you need to use Hue for Oozie workflow management, You can install Hue on a RHEL/CentOS 6 node and configure it to point to your HDP cluster. ... View more

@Timothy Spann The best way to accomplish this is with the GetTwitter processor and the MergeContent processor. GetTwitter will connect up to a Twitter dev account and pull tweets (you can even filter them). Then you can use MergeContent to collect the tweets into manageable pieces based on number of records, size of file, or a timeout value. ... View more

@Kaliyug Antagonist HDFS security is multi-tiered: Ranger authorization policies are checked first HDFS ACLs implemented outside of Ranger HDFS POSIX permissions (e.g. rwxr-xr-x) So, what you can do for user home directories is to set the POSIX permissions to 700 and make sure the ownership is <username>:hdfs. This will ensure that only the user has access to his/her home directory. You don't need to create a Ranger policy to allow the access for this. You can do the same for the /tmp directory (set permissions to 777). There are some best practices for securing HDFS with Ranger. ... View more

@Benjamin R The permissions of the keytabs are not all 440. Only some of them are (hdfs, hbase, ambari-qa, accumulo, and spnego). Those keytabs are used by other services than just the owner for testing connectivity, and other functions on startup. All of the other keytabs are only readable by the service account that owns the file. The group that owns the keytabs is the hadoop group, and should be reserved for service accounts. This will ensure the security of your cluster. ... View more

@David Whoitmore Yes, you can install an alternative version of Python. You will need to install it in a non-system location (leave 2.6 in place and put 2.7 in a new home). Many of the HDP components rely on Python and require v2.6 in the standard place on RedHat 6 in order to work properly. ... View more

@Bhanu Pittampally At present, Presto is not supported with Ranger. You can control the HDFS and Hive services via Ranger to enable Presto to access those resources, but there won't be any control for Presto security mechanisms. Currently, the supported components in Ranger (0.5) are HDFS, YARN, Hive, HBase, Kafka, Storm, Knox, and Solr. ... View more

@Teddy Brewski This can be done! Install the Knox server on multiple hosts (can be done by going to Hosts -> hostname -> Add Service -> Knox Gateway). Create a config group for Knox and assign nodes to each config group (Knox -> Configs -> Manage Config Groups) Modify the Advanced Topology for each config group (accessed with the drop down at the top of the Configs page) to change the AD configuration as appropriate. ... View more

@Johnny Fugers There are several Spark tutorials that use the Sandbox available on the Hortonworks website. You may be interested in the Interacting with Data on HDP Using Apache Zeppelin and Apache Spark tutorial. We also offer online training via Hortonworks University focused on Data Science and Spark. ... View more

@Johnny Fugers Have you considered using NiFi to load the data? You can read from many different sources, merge the content into large enough portions to optimize the HDFS use, and write the data directly into HDFS. ... View more

@Pardeep Gorla Absolutely! You can use an MIT KDC to provide Kerberos authentication. There are a couple of ways to do this. FreeIPA is a good tool that combines LDAP and KDC management for RedHat (CentOS) systems. This will give you the ability to also manage user sync for Ambari and Ranger with the OpenLDAP managed by FreeIPA. You will need to use the "Manually Manage Kerberos Principals" option when enabling Kerberos on the cluster for now. FreeIPA integration is on the roadmap for Ambari, but is not available yet as of Ambari 2.2.2. ... View more

@mkataria The article you referenced does contain some good information about security exploits for the Microsoft Windows Active Directory KDC. Some of them require you to obtain certain keys or privileges in order to compromise security, some of them require access to the domain controller. This article is a bit dated as it is from a couple of years ago, and investigating some of the bugs mentioned shows that Microsoft has patched some of these holes. Other attacks can be secured against by understanding the attack and eliminating the access required to utilize the exploit. As with any computer system, the key is securing the systems. Keep users off of systems that they shouldn't have access to. If there's a memory exploit on a server, don't let users login to that server. If getting access to a file would compromise security, don't allow access to that file. The implications of being able to arbitrarily generate Kerberos tickets can have impacts in a Hadoop environment just as they would in any network. If a user can obtain a ticket to use HDFS, for example, that user may be able to access data that s/he shouldn't access. This is why security is such an important and complex topic. Ensuring that the various systems are secure individually AND together is key to ensuring the security of your information. To address the specific issues mentioned in this article, and to ensure the utmost security of your systems, I would recommend contacting Microsoft about them, determining which issues are applicable to your particular O/S version, and work with Microsoft on the best way to secure the domain controller against these attacks. ... View more