The cluster references a cluster dedicated KDC running on the master node of

The cluster references a cluster dedicated kdc

This preview shows page 235 - 237 out of 395 pages.

The following commands create a cluster with no KDC. The cluster references a cluster-dedicated KDC running on the master node of another cluster to authenticate principals. That KDC has a cross-realm trust with an Active Directory domain controller. Additional configuration on the master node with the KDC is required. For more information, see Tutorial: Configure a Cross-Realm Trust with an Active Directory Domain (p. 235) . Create Security Configuration aws emr create-security-configuration --name ExtKDCWithADIntegration \ --security-configuration '{"AuthenticationConfiguration": \ {"KerberosConfiguration": {"Provider": "ExternalKdc", \ "ExternalKdcConfiguration": {"KdcServerType": "Single", \ "AdminServer": " MasterDNSofClusterKDC :749", \ "KdcServer": " MasterDNSofClusterKDC .com:88", \ "AdIntegrationConfiguration": {"AdRealm":" AD.DOMAIN.COM ", \ "AdDomain":" ad.domain.com "}}}}}' Create Cluster aws emr create-cluster --release-label emr-5.28.1 \ --instance-count 3 --instance-type m5.xlarge --applications Name= Hadoop Name= Hive \ --ec2-attributes InstanceProfile=EMR_EC2_DefaultRole,KeyName= MyEC2Key \ --service-role EMR_DefaultRole --security-configuration ExtKDCWithADIntegration \ 229
Image of page 235
Amazon EMR Management Guide Use Kerberos Authentication --kerberos-attributes Realm= EC2.INTERNAL ,KdcAdminPassword= KDCOnMasterPassword ,\ ADDomainJoinUser= MyPrivilegedADUserName ,ADDomainJoinPassword= PasswordForADDomainJoinUser Configuring a Cluster for Kerberos-Authenticated HDFS Users and SSH Connections Amazon EMR creates Kerberos-authenticated user clients for the applications that run on the cluster— for example, the hadoop user, spark user, and others. You can also add users who are authenticated to cluster processes using Kerberos. Authenticated users can then connect to the cluster with their Kerberos credentials and work with applications. For a user to authenticate to the cluster, the following configurations are required: A Linux user account matching the Kerberos principal in the KDC must exist on the cluster. Amazon EMR does this automatically in architectures that integrate with Active Directory. You must create an HDFS user directory on the master node for each user, and give the user permissions to the directory. You must configure the SSH service so that GSSAPI is enabled on the master node. In addition, users must have an SSH client with GSSAPI enabled. Adding Linux Users and Kerberos Principals to the Master Node If you do not use Active Directory, you must create Linux accounts on the cluster master node and add principals for these Linux users to the KDC. This includes a principal in the KDC for the master node. In addition to the user principals, the KDC running on the master node needs a principal for the local host. When your architecture includes Active Directory integration, Linux users and principals on the local KDC, if applicable, are created automatically. You can skip this step. For more information, see Cross-Realm Trust (p. 217) and External KDC—Cluster KDC on a Different Cluster with Active Directory Cross-Realm Trust (p. 222) .
Image of page 236
Image of page 237

You've reached the end of your free preview.

Want to read all 395 pages?

  • Spring '12
  • LauraParker
  • Amazon Web Services, Amazon Elastic Compute Cloud

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern

Stuck? We have tutors online 24/7 who can help you get unstuck.
A+ icon
Ask Expert Tutors You can ask You can ask ( soon) You can ask (will expire )
Answers in as fast as 15 minutes
A+ icon
Ask Expert Tutors