We're using a local KDC and have created service principals for the Hadoop service accounts (yarn, hdfs, mapred, etc..) The services startup and automatically generate their TGT's to access the Hadoop services. Regular users authenticate against Active Directory using a cross-realm one way trust that has been setup.When those users login to Linux, they get a TGT from the local KDC with their AD credentials (e.g. bk835@ACME.ORG) If you have multiple Hadoop clusters, you may run into collisions with the same Hadoop usernames existing in AD (e.g. yarn, hdfs, mapped, etc...). Because of this, I've convinced the customer to use separate KDC's for each Hadoop realm. I've got three clusters setup. Setting up a KDC on Linux is fairly straightforward and I can control it rather than depending on the AD administrators to do something for me with respect to issues with service principals or keytab files.
... View more
I have a scenario where multiple Hortonworks clusters will be created, used and destroyed in a hybrid cloud environment. To secure each Hortonworks cluster with Kerberos, will I need to setup a local KDC for each cluster on that cluster? Or can I use one KDC to support multiple Hortonworks clusters? In other words, can I support multiple Kerberos realms on the same KDC with Hortonworks? I run the kerberos_setup.sh script and setup krb5.conf to point to a remote KDC/different Realm. But the process kept failing. Finally resorted to letting it setup a local KDC on the management server (for Ambari) and was able to create the KDC, service principals and keytabs properly.
... View more