Limit the amount of
keytab files for Kerberos.
- Can we get away with only having
keytabson the master and proxy nodes or is it necessary to have
keytabson all of the nodes in the cluster?
- If we reduce the
keytabsfor Datameer, what limitations might we face?
- If Datameer requires
keytabson every node, do you have plans on changing that requirement?
- You can limit the number of
keytabsrequired to a single location. If you have access from both your master and proxy hosts to the single location of the Datameer
keytabcontaining the principal, you should be set. Keeping 2 copies, one on both the master and proxy hosts is functional as well.
- There are no known limitations. Datameer only reaches out to the single
keytabfile that has been defined in the Hadoop Cluster configuration section of Administration.
- Datameer doesn't currently require
keytabsto be distributed on each node. Feel free to reduce their footprint on your cluster as far as Datameer is concerned.
Requirements for Datameer
- A single
keytabfile is required for Datameer (distribution is not required/advised)
- This path to the
keytabis configured in Datameer under
- For security purposes, a single copy/location for the
- Further best practices would suggest limiting the Datameer
keytabfile to contain only the Datameer