Cross realm trusts cannot be established between Kerberos realms with the same

Cross realm trusts cannot be established between

This preview shows page 225 - 229 out of 395 pages.

Cross-realm trusts cannot be established between Kerberos realms with the same name. Cross-realm trusts must be established explicitly. For example, if Cluster A and Cluster B both establish a cross-realm trust with a KDC, they do not inherently trust one another and their applications cannot authenticate to one another to interoperate. KDCs must be maintained independently and coordinated so that credentials of user principals match precisely. External KDC Configurations with an External KDC are supported with Amazon EMR 5.20.0 and later. External KDC—MIT KDC (p. 219) External KDC—Master Node on a Different Cluster (p. 221) External KDC—Cluster KDC on a Different Cluster with Active Directory Cross-Realm Trust (p. 222) External KDC—MIT KDC This configuration allows one or more EMR clusters to use principals defined and maintained in an MIT KDC server. 219
Image of page 225
Amazon EMR Management Guide Use Kerberos Authentication Advantages Managing principals is consolidated in a single KDC. Multiple clusters can use the same KDC in the same Kerberos realm. This allows cluster applications to interoperate and simplifies the authentication of communication between clusters as compared to a cross-realm trust. The master node on a Kerberized cluster does not have the performance burden associated with maintaining the KDC. Considerations and Limitations You must create Linux users on the EC2 instance of each Kerberized cluster's master node that correspond to KDC user principals, along with the HDFS directories for each user. User principals must use an EC2 private key file and kinit credentials to connect to Kerberized clusters using SSH. Each node in Kerberized EMR clusters must have a network route to the KDC. Each node in Kerberized clusters places an authentication burden on the external KDC, so the configuration of the KDC affects cluster performance. When you configure the hardware of the KDC server, consider the maximum number of Amazon EMR nodes to be supported simultaneously. Cluster performance is dependent on the network latency between nodes in Kerberized clusters and the KDC. Troubleshooting can be more difficult because of interdependencies. 220
Image of page 226
Amazon EMR Management Guide Use Kerberos Authentication External KDC—Master Node on a Different Cluster This configuration is nearly identical to the external MIT KDC implementation above, except that the KDC is on the master node of an EMR cluster. For more information, see Cluster-Dedicated KDC (KDC on Master Node) (p. 216) and Tutorial: Configure a Cross-Realm Trust with an Active Directory Domain (p. 235) . 221
Image of page 227
Amazon EMR Management Guide Use Kerberos Authentication Advantages Managing principals is consolidated in a single KDC. Multiple clusters can use the same KDC in the same Kerberos realm. This allows cluster applications an Kerberized clusters to interoperate. It also simplifies the authentication of communication between clusters as compared to a cross-realm trust.
Image of page 228
Image of page 229

You've reached the end of your free preview.

Want to read all 395 pages?

  • Spring '12
  • LauraParker
  • Amazon Web Services, Amazon Elastic Compute Cloud

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern

Ask Expert Tutors You can ask You can ask ( soon) You can ask (will expire )
Answers in as fast as 15 minutes