About slachterman

slachterman · ‎05-11-2017

Kerberos is a widely-used authentication system and is used throughout the Hadoop ecosystem, in particular, for strong authentication. The KDC, or key distribution center, is the name for the Kerberos server application that exposes the Authentication Service and Ticket Granting Service, as well as hosting the Kerberos principal database. Active Directory is used in many enterprises for Identity and Access Management. A common architecture in enterprise deployment scenarios is to make use of a local cluster KDC (often using the MIT-KDC packaging) to host the service and host principals associated with the cluster, and to configure a one-way trust between the AD domain and the cluster realm. This has the advantage of offloading Kerberos traffic from the domain controller(s) and not all enterprises do not necessarily want to host cluster principals within their AD domain. So how does a one-way trust work? The first thing to note is that the trust is instantiated by the existence of a special cross-realm principal. For example, if realm B.EXAMPLE.COM trusts realm A.EXAMPLE.COM, clients in the realm A.EXAMPLE.COM can authenticate to services in B.EXAMPLE.COM. In order for a client of A.EXAMPLE.COM to access a service in the B.EXAMPLE.COM realm, both realms must share a key for a principal named krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM (and both keys must have the same key version number associated with them). To access a cross-realm service, the user first contacts their home KDC's AS (AD domain controller which exposes the KDC service, in the scenario at-hand) asking for a TGT that will be used with the TGS of the foreign realm. If there is a direct trust relationship between the home realm and the foreign realm (practically materialized in shared inter-realm keys, per the above), the home KDC delivers the requested TGT. The user then contacts the cluster MIT-KDC, in the foreign realm, presenting the cross-realm TGT and requesting a service ticket for the service in question. Finally, the user contacts the cluster service in question, presenting the service ticket. Therefore, we can conclude that the AD user needs to be able to contact the MIT-KDC server (usually tcp/88). Please note this means that if the cluster is within a secured network zone which includes the MIT-KDC host, then there needs to be a firewall rule allowing AD clients to contact this host (again, usually over tcp/88). Please see diagram below. References: RFC 5868 Kerberos and its Application in Cross-realm Operations RedHat: Setting up Cross-realm Authentication

slachterman · ‎05-10-2017

The mechanics of the one-way trust are as follows: AD user requests cross-realm TGT from AD KDC (i.e., the domain controller exposing the KDC service) AD user contacts cluster MIT-KDC, presenting the TGT and requesting a service ticket for the service in question AD user contacts cluster service, presenting the service ticket Therefore, we can conclude that the AD user needs to be able to contact the MIT-KDC server (tcp/88). The cluster servers need to contact the AD LDAP in order to support synchronization for Ranger, SSSD, etc. You don't need to create user principals in the cluster MIT-KDC if these principals exist within the AD domain and you can set up the one-way trust.

slachterman · ‎05-10-2017

@tuxnet please see new answer.

slachterman · ‎05-08-2017

Yes, that's what the one-way trust accomplishes. You also need to consider SSSD or similar so that user identities exist locally on the cluster boxes (using, say, LDAP). Please accept/upvote the above if this answer was helpful to you.

slachterman · ‎05-08-2017

@tuxnet, please clarify what you mean by "AD doesn't support Kerberos". AD does in fact use Kerberos for authentication under the covers. When a separate MIT-KDC is used, the usual design is to use it to store the host and service principals associated with the Hadoop cluster. The user principals are stored in AD, and a one-way trust is established between the AD domain and the MIT-KDC realm so that users in AD can access cluster services (but not the other way around). This HCC article discusses one-way trusts between MIT-KDC and AD.

slachterman · ‎05-04-2017

Hi @Manmeet Kaur, please post this on HCC as a separate question.

slachterman · ‎05-02-2017

@Joshua Petree can you explain further what you mean by "Ambari is not allowing the DataNodes to access the /home directories?"

slachterman · ‎05-02-2017

@Joshua Petree yes, you want dfs.datanode.data.dir to be backed by a mount point that has the majority of the data available for HDFS blocks. Please upvote or accept the above answer if this is helpful in resolving your issue.

slachterman · ‎05-02-2017

Hi @Joshua Petree, that is odd. It seems like the 2 TB disks on your data nodes are not properly associated with your HDFS storage. What do you see in dfs.datanode.data.dir? Are you sure the listed mount points are backed by the 2 TB disks you intended?

slachterman · ‎05-01-2017

Do you mean DataNode capacity? Which report? Is this a virtual or bare-metal environment? What are the hardware specs?

Online	Offline
Last Visited	‎05-03-2018 08:43 PM

Member Since	‎06-20-2016 02:58 PM
Last Visited	‎05-03-2018 08:43 PM
Posts	251
Kudos received	196

Cloudera Community

Re: PySpark and Python version (<3.6)?

Re: Ambari Server Start failure - Ranger Atlas Ta...

Re: Using underscore _ in a database name in HIVE

Re: Active directory as Directory Service and MIT ...

Re: 4 node cluster configuration

How does a cross-realm trust work?

Re: Active directory as Directory Service and MIT ...

Re: Active directory as Directory Service and MIT ...

Re: Active directory as Directory Service and MIT ...

Re: Active directory as Directory Service and MIT ...

Re: Using Hadoop Credential API to store AWS secre...

Re: HDFS NameNode Capacity Alert on Fresh Install

Re: HDFS NameNode Capacity Alert on Fresh Install

Re: HDFS NameNode Capacity Alert on Fresh Install

Re: HDFS NameNode Capacity Alert on Fresh Install