Goal
Limit the amount of keytab
files for Kerberos.
Learn
Questions
- Can we get away with only having
keytabs
on the master and proxy nodes or is it necessary to havekeytabs
on all of the nodes in the cluster? - If we reduce the
keytabs
for Datameer, what limitations might we face? - If Datameer requires
keytabs
on every node, do you have plans on changing that requirement?
Answers
- You can limit the number of
keytabs
required to a single location. If you have access from both your master and proxy hosts to the single location of the Datameerkeytab
containing the principal, you should be set. Keeping 2 copies, one on both the master and proxy hosts is functional as well. - There are no known limitations. Datameer only reaches out to the single
keytab
file that has been defined in the Hadoop Cluster configuration section of Administration. - Datameer doesn't currently require
keytabs
to be distributed on each node. Feel free to reduce their footprint on your cluster as far as Datameer is concerned.
Summary
Requirements for Datameer keytab
:
- A single
keytab
file is required for Datameer (distribution is not required/advised) - This path to the
keytab
is configured in Datameer underAdministration
- For security purposes, a single copy/location for the
keytab
is suggested - Further best practices would suggest limiting the Datameer
keytab
file to contain only the Datameerprincipal
Comments
0 comments
Please sign in to leave a comment.