216 Amazon EMR Management Guide Use Kerberos Authentication Advantages Amazon

216 amazon emr management guide use kerberos

This preview shows page 222 - 226 out of 395 pages.

216
Image of page 222
Amazon EMR Management Guide Use Kerberos Authentication Advantages Amazon EMR has full ownership of the KDC. The KDC on the EMR cluster is independent from centralized KDC implementations such as Microsoft Active Directory or AWS Managed Microsoft AD. Performance impact is minimal because the KDC manages authentication only for local nodes within the cluster. Optionally, other Kerberized clusters can reference the KDC as an external KDC. For more information, see External KDC—Master Node on a Different Cluster (p. 221) . Considerations and Limitations Kerberized clusters can not authenticate to one another, so applications can not interoperate. If cluster applications need to interoperate, you must establish a cross-realm trust between clusters, or set up one cluster as the external KDC for other clusters. If a cross-realm trust is established, the KDCs must have different Kerberos realms. You must create Linux users on the EC2 instance of the master node that correspond to KDC user principals, along with the HDFS directories for each user. User principals must use an EC2 private key file and kinit credentials to connect to the cluster using SSH. Cross-Realm Trust In this configuration, principals (usually users) from a different Kerberos realm authenticate to application components on a Kerberized EMR cluster, which has its own KDC. The KDC on the master node establishes a trust relationship with another KDC using a cross-realm principal that exists in both 217
Image of page 223
Amazon EMR Management Guide Use Kerberos Authentication KDCs. The principal name and the password match precisely in each KDC. Cross-realm trusts are most common with Active Directory implementations, as shown in the following diagram. Cross-realm trusts with an external MIT KDC or a KDC on another Amazon EMR cluster are also supported. Advantages The EMR cluster on which the KDC is installed maintains full ownership of the KDC. With Active Directory, Amazon EMR automatically creates Linux users that correspond to user principals from the KDC. You still must create HDFS directories for each user. In addition, user 218
Image of page 224
Amazon EMR Management Guide Use Kerberos Authentication principals in the Active Directory domain can access Kerberized clusters using kinit credentials, without the EC2 private key file. This eliminates the need to share the private key file among cluster users. Because each cluster KDC manages authentication for the nodes in the cluster, the effects of network latency and processing overhead for a large number of nodes across clusters is minimized. Considerations and Limitations If you are establishing a trust with an Active Directory realm, you must provide an Active Directory user name and password with permissions to join principals to the domain when you create the cluster.
Image of page 225
Image of page 226

You've reached the end of your free preview.

Want to read all 395 pages?

  • Spring '12
  • LauraParker
  • Amazon Web Services, Amazon Elastic Compute Cloud

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern

Stuck? We have tutors online 24/7 who can help you get unstuck.
A+ icon
Ask Expert Tutors You can ask You can ask ( soon) You can ask (will expire )
Answers in as fast as 15 minutes
A+ icon
Ask Expert Tutors