New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security #4
Comments
@HorizonNet would a self-signed certificate work for this? |
Why do you need a certificate? |
as part of https://www.cloudera.com/documentation/enterprise/5-9-x/topics/cm_sg_intro_kerb.html |
TLS encryption is not part of the Kerberos setup as described in the lab. TLS is part of level-security for CM server and agents, which are out of scope. The hint in the Cloudera documentation just says that Kerberos alone is not enough for a secure cluster. |
@HorizonNet I'm using aws with elastic IPS for the cluster. Should I use the private DNS and IPS for KDC or the public ones? |
You should never rely on IPs in a cluster. On AWS it is best to stick with the private hostnames. This prevents additional traffic costs and allows some advanced security configurations. |
@HorizonNet thanks, but do i need to map the private hostnames to their private or public ips in the /etc/hosts or should work out of the box? |
On AWS using private hostnames only works out of the box. You shouldn't need to touch |
@HorizonNet I'm getting a |
Why are you trying to set up multiple KDCs? |
I thought that the idea was to have a master in one of the hosts and a client/slave in each host. how should we setup the KDC then? |
You need to set up a central KDC and a Kerberos client on each host. The client is not part of the KDC. It only uses the KDC. You only have a master/slave architecture if you set up high availability for your KDC (which is what your link describes). |
@HorizonNet unrelated question, is it mandatory to take the challenge or we can just take the exam? |
The challenge is mandatory. |
No description provided.
The text was updated successfully, but these errors were encountered: