Bringing even with upstream branch

Author: v-alje

articles/hdinsight/domain-joined/apache-domain-joined-configure-using-azure-adds.md

@@ -15,34 +15,34 @@ Enterprise Security Package (ESP) clusters provide multi-user access on Azure HD
 
 In this article, you learn how to configure a HDInsight cluster with ESP by using Azure Active Directory Domain Services (Azure AD-DS).
 
+>[!NOTE]
+>ESP is available in HDI 3.6+ for Spark, Interactive, and Hadoop. ESP for HBase cluster types is in preview.
+
+
 ## Enable Azure AD-DS
 
 Enabling Azure AD-DS is a prerequisite before you can create a HDInsight cluster with ESP. For more information, see [Enable Azure Active Directory Domain Services using the Azure portal](../../active-directory-domain-services/active-directory-ds-getting-started.md). 
 
 > [!NOTE]
 > Only tenant administrators have the privileges to create an Azure AD-DS instance. If you use Azure Data Lake Storage Gen1 as the default storage for HDInsight, make sure that the default Azure AD tenant for Data Lake Storage Gen1 is same as the domain for the HDInsight cluster. Because Hadoop relies on Kerberos and basic authentication, multi-factor authentication needs to be disabled for users who will access the cluster.
 
-After you provision the Azure AD-DS instance, create a service account in Azure Active Directory (Azure AD) with the right permissions. If this service account already exists, reset its password and wait until it syncs to Azure AD-DS. This reset will result in the creation of the Kerberos password hash, and it might take up to 30 minutes to sync to Azure AD-DS. 
+Secure LDAP is for an Azure AD-DS managed domain. When enabling LDAPS, put the domain name in the subject name or the alternative subject name in the certificate. For more information, see [Configure secure LDAP for an Azure AD-DS managed domain](../../active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap.md).
 
-The service account needs the following privileges:
+## Add managed identity
 
-- Join machines to the domain and place machine principals within the OU that you specify during cluster creation.
-- Create service principals within the OU that you specify during cluster creation.
-
-> [!NOTE]
-> Because Apache Zeppelin uses the domain name to authenticate the administrative service account, the service account *must* have the same domain name as its UPN suffix for Apache Zeppelin to function properly.
+After you enabled Azure AD-DS, create a managed identity and assign it to the **HDInsight Domain Services Contributor** role in Azure AD-DS Access control.
 
-To learn more about OUs and how to manage them, see [Create an OU on an Azure AD-DS managed domain](../../active-directory-domain-services/active-directory-ds-admin-guide-create-ou.md). 
+![Azure Active Directory Domain Services Access control](./media/apache-domain-joined-configure-using-azure-adds/hdinsight-configure-managed-identity.png)
 
-Secure LDAP is for an Azure AD-DS managed domain. For more information, see [Configure secure LDAP for an Azure AD-DS managed domain](../../active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap.md).
+For more information, see [What is managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md).
 
 ## Create a HDInsight cluster with ESP
 
-The next step is to create the HDInsight cluster with ESP enabled using Azure AD-DS and the service account that you created in the previous section.
+The next step is to create the HDInsight cluster with ESP enabled using Azure AD-DS.
 
 It's easier to place both the Azure AD-DS instance and the HDInsight cluster in the same Azure virtual network. If you choose to put them in different virtual networks, you must peer those virtual networks so that HDInsight VMs have a line of sight to the domain controller for joining the VMs. For more information, see [Virtual network peering](../../virtual-network/virtual-network-peering-overview.md).
 
-When you create an HDInsight cluster, you have the option to enable Enterprise Security Package to connect your cluster with Azure AD-DS. ESP is only available in HDI 3.6+ for Spark, Interactive, Hadoop, and HBase cluster types.
+When you create an HDInsight cluster, you have the option to enable Enterprise Security Package to connect your cluster with Azure AD-DS. 
 
 ![Azure HDInsight Security and networking](./media/apache-domain-joined-configure-using-azure-adds/hdinsight-create-cluster-security-networking.png)
 
@@ -56,9 +56,9 @@ Early detection saves time by allowing you to fix errors before creating the clu
 
 When you create a HDInsight cluster with ESP, you must supply the following parameters:
 
-- **Cluster admin user**: Choose an admin for your cluster from your list of Active Directory users.
+- **Cluster admin user**: Choose an admin for your cluster from your synced Azure AD-DS.
 
-- **Cluster access groups**: The security groups whose users you want to sync to the cluster. For example, HiveUsers. If you want to specify multiple user groups, separate them by semicolon ‘;’. The group(s) must exist in the directory prior to provisioning. For more information, see [Create a group and add members in Azure Active Directory](../../active-directory/fundamentals/active-directory-groups-create-azure-portal.md). If the group does not exist, an error occurs: "Group HiveUsers not found in the Active Directory."
+- **Cluster access groups**: The security groups whose users you want to sync to the cluster should be synced and available in Azure AD-DS. For example, HiveUsers. If you want to specify multiple user groups, separate them by semicolon ‘;’. The group(s) must exist in the directory prior to provisioning. For more information, see [Create a group and add members in Azure Active Directory](../../active-directory/fundamentals/active-directory-groups-create-azure-portal.md). If the group does not exist, an error occurs: "Group HiveUsers not found in the Active Directory."
 
 - **LDAPS URL**: An example is ldaps://contoso.onmicrosoft.com:636.
 

articles/hdinsight/domain-joined/apache-domain-joined-run-kafka.md

@@ -12,7 +12,7 @@ ms.date: 09/24/2018
 
 # Tutorial: Configure Kafka policies in HDInsight with Enterprise Security Package
 
-Learn how to configure Apache Ranger policies for Enterprise Security Package (ESP) Kafka clusters, which are connected to a domain allowing users to authenticate with domain credentials. In this tutorial, you create two Ranger policies to restrict access to `sales*` and `marketingspend` topics.
+Learn how to configure Apache Ranger policies for Enterprise Security Package (ESP) Kafka clusters. ESP clusters are connected to a domain allowing users to authenticate with domain credentials. In this tutorial, you create two Ranger policies to restrict access to `sales*` and `marketingspend` topics.
 
 In this tutorial, you learn how to:
 
@@ -158,9 +158,9 @@ Based on the Ranger policies configured, **sales_user** can produce/consume topi
 
    Example: `export KAFKAZKHOSTS=zk1-khdicl.contoso.com:2181,zk2-khdicl.contoso.com:2181`
 
-   As a result, **sales_user1** can produce to topic **salesevents**.
-
-4. Execute the following command to start the console-producer for topic **salesevents**:
+4. Verify that **sales_user1** can produce to topic **salesevents**.
+   
+   Execute the following command to start the console-producer for topic **salesevents**:
 
    ```bash
    /usr/hdp/current/kafka-broker/bin/kafka-console-producer.sh --broker-list $KAFKABROKERS --topic salesevents --security-protocol SASL_PLAINTEXT
@@ -174,19 +174,21 @@ Based on the Ranger policies configured, **sales_user** can produce/consume topi
    /usr/hdp/current/kafka-broker/bin/kafka-console-consumer.sh --zookeeper $KAFKAZKHOSTS --topic salesevents --security-protocol PLAINTEXTSASL --from-beginning
    ```
 
-   To verify, the messages you entered in the previous step will appear, and **sales_user1** cannot produce to topic **marketingspend**.
+6. Verify that the messages you entered in the previous step will appear, and **sales_user1** can't produce to topic **marketingspend**.
 
-6. From the same ssh window as above, execute the following command to produce to the topic **marketingspend**:
+   From the same ssh window as above, execute the following command to produce to the topic **marketingspend**:
 
    ```bash
    /usr/hdp/current/kafka-broker/bin/kafka-console-producer.sh --broker-list $KAFKABROKERS --topic marketingspend --security-protocol SASL_PLAINTEXT
    ```
 
-   An authorization error occurs and can be ignored. Notice that **marketing_user1** can't consume from topic **salesevents**.
+   An authorization error occurs and can be ignored. 
+
+7. Notice that **marketing_user1** can't consume from topic **salesevents**.
 
    Repeat steps 1-3 above, but this time as **marketing_user1**.
 
-7. Execute the following command to consume from topic **salesevents**:
+   Execute the following command to consume from topic **salesevents**:
 
    ```bash
    /usr/hdp/current/kafka-broker/bin/kafka-console-consumer.sh --zookeeper $KAFKAZKHOSTS --topic marketingspend --security-protocol PLAINTEXTSASL --from-beginning
@@ -200,5 +202,5 @@ Based on the Ranger policies configured, **sales_user** can produce/consume topi
 
 ## Next steps
 
-* [Bring your own key to Kafaka](https://docs.microsoft.com/azure/hdinsight/kafka/apache-kafka-byok)
+* [Bring your own key to Kafka](https://docs.microsoft.com/azure/hdinsight/kafka/apache-kafka-byok)
 * [An introduction to Hadoop security with Enterprise Security Package](https://docs.microsoft.com/azure/hdinsight/domain-joined/apache-domain-joined-introduction)

articles/hdinsight/domain-joined/media/apache-domain-joined-configure-using-azure-adds/hdinsight-configure-managed-identity.png

@@ -9,7 +9,7 @@ author: kkampf
 ms.service: hdinsight
 ms.custom: hdinsightactive,hdiseo17may2017
 ms.topic: conceptual
-ms.date: 01/09/2018
+ms.date: 09/24/2018
 ms.author: kakampf
 
 ---