Security #4
Comments
|
@HorizonNet would a self-signed certificate work for this? |
|
Why do you need a certificate? |
|
as part of https://www.cloudera.com/documentation/enterprise/5-9-x/topics/cm_sg_intro_kerb.html |
|
TLS encryption is not part of the Kerberos setup as described in the lab. TLS is part of level-security for CM server and agents, which are out of scope. The hint in the Cloudera documentation just says that Kerberos alone is not enough for a secure cluster. |
|
@HorizonNet I'm using aws with elastic IPS for the cluster. Should I use the private DNS and IPS for KDC or the public ones? |
|
You should never rely on IPs in a cluster. On AWS it is best to stick with the private hostnames. This prevents additional traffic costs and allows some advanced security configurations. |
|
@HorizonNet thanks, but do i need to map the private hostnames to their private or public ips in the /etc/hosts or should work out of the box? |
|
On AWS using private hostnames only works out of the box. You shouldn't need to touch |
|
@HorizonNet I'm getting a |
|
Why are you trying to set up multiple KDCs? |
|
I thought that the idea was to have a master in one of the hosts and a client/slave in each host. how should we setup the KDC then? |
|
You need to set up a central KDC and a Kerberos client on each host. The client is not part of the KDC. It only uses the KDC. You only have a master/slave architecture if you set up high availability for your KDC (which is what your link describes). |
|
@HorizonNet unrelated question, is it mandatory to take the challenge or we can just take the exam? |
|
The challenge is mandatory. |
No description provided.
The text was updated successfully, but these errors were encountered: