In order to deploy a secured multi tenant Cloudera cluster. we planned to use Kerberos as the main authenticate mechanism. We have planned to deploy many projects/applications on this cluster.
In multi-tenant context, we exploring different options to organize users by groups/projects in Kerberos.
We have identified to possibilities :
Option 2 : 1 realm for all projects on the same platform (1 platform = 1 realm) + a rule to distinguish the user associated to a project through their principals.
Syntax : username/project@REALM.com
Example : bob/data_lake@mycompany.com
Have you any feedback about the best practices of using Kerberos in multi-tenant context ?
PS. if you have another options don't be afraid to share it