question Re: Is there a valid use case for activating Hadoop secure mode (Kerberos authentication), but not activating Hadoop HTTP authentication? in Support Questions

Is there a valid use case for activating Hadoop secure mode (Kerberos authentication), but not activating Hadoop HTTP authentication?

cnauroth — Fri, 16 Sep 2022 09:46:55 GMT

Activating Hadoop secure mode using Kerberos and activating Hadoop HTTP authentication using SPNEGO are separate configuration steps.

https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html

https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/HttpAuthentication.html

This means that it's possible to run a cluster with Kerberos authentication, but leave the HTTP endpoints unauthenticated.

Is there any valid use case for running in this configuration?

Enabling Kerberos authentication implies a desired for security hardening. Therefore, leaving the HTTP endpoints unauthenticated seems undesirable.

I have encountered clusters that had enabled Kerberos but had not enabled HTTP authentication. When I see this, I generally advise that the admins go back and configure HTTP authentication.

Am I missing a valid reason why an admin would want to keep running in this mode?

Re: Is there a valid use case for activating Hadoop secure mode (Kerberos authentication), but not activating Hadoop HTTP authentication?

nsabharwal — Fri, 30 Oct 2015 04:11:53 GMT

@Chris Nauroth

Chris, It's completely based on the business requirement. Personally, I don't suggest for HTTP auth to my customer because compliance requirement requires minimum 2 factor authentication. Logging into Ambari using LDAP/AD credentials and then Kerberos takes care of it. Setting up HTTP auth for each web ui adds more work for admin/users to access web pages ( definitely not strong reason for not setting it up)

Re: Is there a valid use case for activating Hadoop secure mode (Kerberos authentication), but not activating Hadoop HTTP authentication?

andrewg — Fri, 30 Oct 2015 05:28:31 GMT

Chris,

Companies with strict security controls will require HTTP SPNEGO, however, they also must provide the infrastructure for the client. The biggest burden is setting up clients and browsers for Kerberized access.

The only reason Ambari doesn't do it automatically is dev resources - this is already tracked internally. Ideally, Ambari will have an enhanced security wizard and prompt a user if she wants to also secure Hadoop web UIs.

Re: Is there a valid use case for activating Hadoop secure mode (Kerberos authentication), but not activating Hadoop HTTP authentication?

cnauroth — Sat, 31 Oct 2015 04:27:43 GMT

@Neeraj, thanks for the reply. In this kind of compliance environment, is there something more that is done to mitigate the lack of authentication on the HTTP servers? Are the HTTP ports firewalled off?

Re: Is there a valid use case for activating Hadoop secure mode (Kerberos authentication), but not activating Hadoop HTTP authentication?

cnauroth — Sat, 31 Oct 2015 04:30:21 GMT

@Andrew Grande, thank you. I hadn't considered the IT challenges from the browser side.

Re: Is there a valid use case for activating Hadoop secure mode (Kerberos authentication), but not activating Hadoop HTTP authentication?

nsabharwal — Sat, 31 Oct 2015 04:35:04 GMT

If you are asking about iptables then iptables = on

port exceptions stays on or knox plays its charm.