leongd
1 Nickel

Isilon HDFS with Cloudera kerberized with MIT KDC + LDAP to AD

Hi everyone, I'm not familiar with Hadoop generally but am hoping to seek some advice on a question below.

IHAC that has Isilon kerberized with Cloudera to MIT KDC.  The Hadoop access zones has 3 authentication providers :

Local (which has since has all users disabled since we're authenticating via kerberos only)

krb5

LDAP:Active Directory

The customer normally creates new users in AD which we can see when we browsed in the OneFS GUI under Roles & Memberships.

Some of these users are added to specific HDFS proxyusers and all is well.

The question customer is posing is that there are some user accounts that are not created from AD and are instead created in Kerberos instead.  Users for these accounts in Kerberos do not want to be associated to AD at all.

In this specific case, under Roles and Memberships and under the krb5 provider, there is no user account being shown.

So how do we add a Kerberos user to proxyusers in this particular scenario?  Or if it's not possible at all.

Thanks for reading and hope to get some advice on this.

Tags (2)
0 Kudos
1 Reply
russ_stevenson
1 Nickel

Re: Isilon HDFS with Cloudera kerberized with MIT KDC + LDAP to AD

A Kerberos principal is not an identity, it is just a user account that can be authenticated by the Kerberos. It has no associated identity to Isilon.

An AD user is also an identity, hence it can be seen in the provider. (AD is just an LDAP + KRB provider)

In order to add a proxy user, Isilon still requires an ID and that identity needs to be associated with the KDC Kerberos Principal UPN, in this case, it would need to be an equivalent identity defined in the local provider or just use AD to provide ID & KRB auth.

KRB principal user1@REALM needs user1 added to the local provider.

rs

0 Kudos