If you are kerberizing a hadoop cluster against an Isilon, you’ll need to look at adding the following to the hdfs services to enable Isilon compatibility. All Distro’s 1. Add custom property hadoop.security.token.service.use_ip=false to core-site.xml When you kerberize with AD, Isilon’s cluster SPN is used and not the SCZ SPN. (this is our odd behavior) […]Read more "Tweaks to HDFS services to make them play nice with Kerberized Isilon access"
Hadoop provides a feature that lets administrators specify mapping rules to map a kerberos principal to a local UNIX user name.This required with Kerberized Hadoop clusters to turn full UPN’s into the shortnames required by the HDFS services. In Ambari these rules look similar to this and are added to the core-site.xml: Kerberized Ambari […]Read more "Hadoop’s hadoop.security.auth_to_local rules"
if you are seeing issues with kerberos based hdfs client access against an Isilon cluster, increasing the kerberos logging level on the client can show you a lot more information(a lot) Change the logging level with the following: export HADOOP_ROOT_LOGGER=”TRACE,console” export HADOOP_OPTS=”-Dsun.security.krb5.debug=true” quick example of a successful kerberized hadoop call from a kerberized […]Read more "Increase the kerberos logging level on a client to see what is actually going on"