Been seeing a few questions lately around RFC2307 and removal or deprecation post Windows Server 2008 within AD. Since Isilon multi-directory service and multiprotocol often relies heavily on this functionality, I dug a little deeper and found this excellent blog from MS on what all this means. https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/Read more "RFC2307 attributes and newer versions of Windows AD Server"
An issue has been seen when a KDC kerberized Hortonworks cluster attempts to start Yarn services or any other services that leverage WebHDFS to start with OneFS 8.0.1. The incorrect generation of the the krb5.conf can leave the file without a READ permission for the services handling WebHDFS calls and authentication cannot occur leading to […]Read more "KDC Kerberized Yarn Services Fail to Start on Isilon OneFS 8.0.1 with Ambari via WebHDFS curl calls"
I also just posted these procedures on implementing Cloudera with Isilon on EMC’s ECN: https://community.emc.com/community/products/isilon/blog/2016/07/07/cloudera-and-isilon-implementation https://community.emc.com/community/products/isilon/blog/2016/07/07/cloudera-and-isilon-implementation-part-2 enjoy!Read more "Implementing Cloudera 5.7 with Isilon 188.8.131.52"
I just authored this post on EMC’s ECN site, on how to implement Kerberos with HDP with Isilon and AD. https://community.emc.com/community/products/isilon/blog/2016/07/05/kerberizing-ambari-hdp-with-isilon-8001-and-active-directoryRead more "Ambari HDP with Isilon 184.108.40.206 and Active Directory Kerberos Implementation"
This may help clarify the use of Isilon proxy users on a kerberized Isilon. You need to create a proxy user for the service and then add users or groups that need to run jobs to that proxy user. Lets take a hive job as an example. A Kerberos user: hdpuser3 tries to run […]Read more "Isilon hdfs proxy users"
If you are kerberizing a hadoop cluster against an Isilon, you’ll need to look at adding the following to the hdfs services to enable Isilon compatibility. All Distro’s 1. Add custom property hadoop.security.token.service.use_ip=false to core-site.xml When you kerberize with AD, Isilon’s cluster SPN is used and not the SCZ SPN. (this is our odd behavior) […]Read more "Tweaks to HDFS services to make them play nice with Kerberized Isilon access"
Hadoop provides a feature that lets administrators specify mapping rules to map a kerberos principal to a local UNIX user name.This required with Kerberized Hadoop clusters to turn full UPN’s into the shortnames required by the HDFS services. In Ambari these rules look similar to this and are added to the core-site.xml: Kerberized Ambari […]Read more "Hadoop’s hadoop.security.auth_to_local rules"