Kerberos principals (basically users) need to be provisioned beforehand for any user that need to use Hadoop. During the SRE summit a lot of proposals were discussed to re-use existing authentication backends, but eventually the simplest and most secure solution found seems to be that every user will need to get a new account (user/password).
The idea is the following (for any new user to be created):
- SRE creates a new user via the Kerberos kadmind interface (locally on the kerberos host), setting a temporary password that expires in a short amount of time (even one second).
- An email should be sent to the user with his account details (including the temporary password)
- Upon first login (via kinit on one of the stat hosts for example) the user will be requested to change his/her password.
This task should evaluate the above plan and if sound, implement it.