[lug] (Virtual) BLUG is ON! Thursday April 9th, 2020 @ 6:30PM (MDT!)
Bear Giles
bgiles at coyotesong.com
Sat Apr 18 23:47:20 MDT 2020
P.S.., before everyone jumps on me...
Yes, I know that maintaining a Kerberized *infrastructure* can be a
non-trivial effort. See my comment above about connecting to a kerberized
hadoop cluster. Cloudera and Hortonworks have wizards that will set up the
cluster side but it took a lot of research and experimentation to get the
java code to connect to the cluster in all of the different modes.
What I was referring to is that I can run
$ yum install krb5-workstation
or
$ apt install krb5-user,
install a single configuration file (/etc/krb5.conf), run 'kinit', and then
I'm set to go. A client might want a little more information but it's
usually just to whitelist the servers you connect to or provide the TLS
keypair you want to use. You don't need to spend days digging into google
to find a magic command or three to tell your OS to allow a
foreign kerberos setting.
On Sat, Apr 18, 2020 at 11:35 PM Bear Giles <bgiles at coyotesong.com> wrote:
> Kerberos
>
> Ironically that's because MacOS uses kerberos internally. Which is good.
> But it's made our life extremely difficult when connecting to hadoop
> clusters that also use Kerberos authentication because the OS designers
> apparently never considered the possibility that anyone other than them or
> Active Directory would want to use kerberos.
>
> That might not be an unreasonable assumption, esp. after you've had to
> deal with the hadoop ecosystem where every application handles kerberos
> configuration differently. But it is an assumption and there are people who
> need to connect directly to a kerberized cluster from their laptop/desktop.
>
> We eventually found a workable solution but it took a while. I can't
> remember what it was but we added it to our confluence pages. However I've
> noticed a lot of people are ssh'ing into a compute node to do their work
> instead of running the client software on their laptop.
>
> FWIW windows has similar problems because of the implementation of its
> security engine but in some ways it's easier to handle them since Microsoft
> needed to support people who needed to connect to kerberized applications.
> A developer has to call very different libraries but the system does
> acknowledge that it's a reasonable need.
>
> Bear
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20200418/cce4d4aa/attachment.html>
More information about the LUG
mailing list