If you are kerberizing a hadoop cluster against an Isilon, you’ll need to look at adding the following to the hdfs services to enable Isilon compatibility.
1. Add custom property hadoop.security.token.service.use_ip=false to core-site.xml
When you kerberize with AD, Isilon’s cluster SPN is used and not the SCZ SPN. (this is our odd behavior) . When hadoop.security.token.service.use_ip = true there is a lookup done on the IP address of the sender, which is compared to the SPN in the token. Obviously with Isilon you don’t want to create a bunch of reverse PTR records in the case you are using MIT and in the case of AD the resolve will always come back with the wrong name because of the fact we are not addressing this configuration with the SCZ SPN anyway. False, says trust the fact you have a ticket and leave it at that. So hadoop.security.token.service.use_ip should always be false in our configurations when kerberized. Firstly to avoid having to create a bunch of reverse PTR records when using non-AD kerberos, and to avoid our own oddity WRT the SPN used when using AD kerberos.
2. Add `hadoop classpath`: to start of mapreduce.application.classpath
This is added here:
MapReduce2 -> Config -> Advanced -> Advanced mapred-site
Add `hadoop classpath`: to start of mapreduce.application.classpath