While it is possible to enable Kerberos on an existing cluster, it should be possible to create a new cluster with Kerberos enabled in a single step. Ideally the blueprint API could be used in that case.
Note that any service added to an already-secured cluster is immediately secured. Therefore, a possible workaround is to create a cluster with no services, secure it, then add services. But this workaround is incompatible with blueprints.
Among the benefits:
- reduced time spent in an insecure configuration; close a potential vulnerability.
- more convenient; no additional step to perform.
- faster; fewer restarts.
- improved interoperability with HCFS.