Node Requirements for Keytabs

Goal

Limit the amount of keytab files for Kerberos. 

Learn

Questions

  1. Can we get away with only having keytabs on the master and proxy nodes or is it necessary to have keytabs on all of the nodes in the cluster?
  2. If we reduce the keytabs for Datameer, what limitations might we face?
  3. If Datameer requires keytabs on every node, do you have plans on changing that requirement?

Answers

  1. You can limit the number of keytabs required to a single location. If you have access from both your master and proxy hosts to the single location of the Datameer keytab containing the principal, you should be set. Keeping 2 copies, one on both the master and proxy hosts is functional as well.
  2. There are no known limitations. Datameer only reaches out to the single keytab file that has been defined in the Hadoop Cluster configuration section of Administration.
  3. Datameer doesn't currently require keytabs to be distributed on each node. Feel free to reduce their footprint on your cluster as far as Datameer is concerned.

Summary

Requirements for Datameer keytab:

  • A single keytab file is required for Datameer (distribution is not required/advised)
  • This path to the keytab is configured in Datameer under Administration
  • For security purposes, a single copy/location for the keytab is suggested
  • Further best practices would suggest limiting the Datameer keytab file to contain only the Datameer principal