On Wed, Feb 8, 2012 at 1:43 PM, Benyi Wang <bewang.t...@gmail.com> wrote:
> Can anyone answer my questions? > > Thanks a lot. > > ---------- Forwarded message ---------- > From: Benyi Wang <bewang.t...@gmail.com> > Date: Mon, Feb 6, 2012 at 11:07 PM > Subject: Hadoop Active Directory Integration > To: common-u...@hadoop.apache.org > > > Hi, > > I have questions about Hadoop Active Directory Integration: > > 1. When using Active Directory, do we still need to create a Linux > account for each user on each Linux node? > Yes. You can do LDAP integration via PAM. > 2. What about if I enable queue acls and use fairscheduler? Will task > trackers send all ACLs check to Active directory? Can I list the user > accounts or AD security groups in mapred-queue-acls.xml? Do I need to > create those groups in Linux node? > The fairscheduler runs entirely on the JT. Those groups need to resolve on the JT (and NN) machines. > 3. Does someone configure Hadoop AD integration in multiple networks? > for example, my company have three networks: corp, lab, and prod. A > user > in "corp" network can log on a window server in lab or prod. If we want > to > use local MIT KDC and set up "one-way cross-realm trust from this realm > to the Active Directory realm" in > > https://ccp.cloudera.com/display/CDHDOC/Integrating+Hadoop+Security+with+Active+Directory > . > How to set up Kerberos in such a environment? > You can have a local KDC and realm per cluster, and set up one-way cross-realm trust on each realm to your corp AD. > 4. Is this right? If AD is setup, a window user can remotely submit a > mapred job? > I've never tried this, but my guess is it won't just work. > 5. What about the authorization? Can hadoop configure so that only users > in the specified security groups in AD can submit jobs. > You can do this via ACLs. > > Thanks. > > Ben >
