Configuring users for Hadoop
All users required to run MapReduce jobs on the cluster need to be set up all the nodes in the cluster. In a large cluster, setting up these users will be very time consuming. So the best practice is to integrate the existing enterprise users in Active Directory or LDAP using cross-realm authentication in Kerberos.
Users are centrally managed in Active Directory or LDAP, and we set up a one-way cross-realm trust between Active Directory/LDAP and KDC on the cluster. Thus, the Hadoop service principal doesn't have to be set up in Active Directory/LDAP, and they authenticate locally on the cluster with KDC. This also ensures that the cluster load is isolated from the rest of the enterprise. We look at how to integrate Hadoop security with Enterprise Security Systems in subsequent chapters.
