question Re: Looking for an automated integration of HDP/Ambari with Kerberos and LDAP in Archives of Support Questions (Read Only)

Looking for an automated integration of HDP/Ambari with Kerberos and LDAP

pminovic — Sat, 23 Jan 2016 08:23:58 GMT

After upgrade to Ambari-2.1.2.1 (or 2.2.1) and HDP-2.3.x we are going to add Kerberos and LDAP to the cluster and we are looking for the best, automated solution. Both will run on a RHEL box but we can select components freely. What's the best way to go? I'm aware of

FreeIPA, exactly what we want except that it's not supported by Ambari. I don't mind using manual Kerberos wizard but in Ambari-2.1.2 there were some issues on clusters with manually installed Kerberos (like CSV files not appearing when adding new services, issues when adding new nodes etc).
KDC and OpenLDAP, KDC is fully supported from Ambari, but not aware of full integration of KDC and OpenLDAP, like when adding new users have to add them twice, once to OpenLDAP and then to KDC (possibly can use scripts).

Any help and ideas will be appreciated.

Re: Looking for an automated integration of HDP/Ambari with Kerberos and LDAP

nsabharwal — Sat, 23 Jan 2016 08:27:23 GMT

@Predrag Minovic

This is your best shot https://cwiki.apache.org/confluence/display/AMBARI/Automated+Kerberizaton

Re: Looking for an automated integration of HDP/Ambari with Kerberos and LDAP

nsabharwal — Sat, 23 Jan 2016 08:31:25 GMT

@Predrag Minovic I am assuming that you are looking for a way to automate the security integration.

This link has really nice content that you can help to meet the requirement ...Thanks to @Ali Bajwa

https://github.com/abajwa-hw/ambari-workshops/blob/master/blueprints-demo-security.md

Re: Looking for an automated integration of HDP/Ambari with Kerberos and LDAP

pminovic — Sat, 23 Jan 2016 08:40:38 GMT

Yes, we'd like to automate kereberization and provide the customer with an easy-to-use interface to manage users afterwards. I'm in touch and aware of great workshops by @Ali Bajwa but the KDC/OpenLDAP integration is not complete. Also aware of a great post about FreeIPA by @David Streever. And thanks for your super-express repsonse!

Re: Looking for an automated integration of HDP/Ambari with Kerberos and LDAP

nsabharwal — Sat, 23 Jan 2016 08:55:07 GMT

@Predrag Minovic Both of them are GEMS ...Now, take a look on this

http://docs.hortonworks.com/HDPDocuments/Ambari-2.2.0.0/bk_releasenotes_ambari_2.2.0.0/content/ambari_relnotes-2.2.0.0-new-features.html

Jira.

https://issues.apache.org/jira/browse/AMBARI-13431

Re: Looking for an automated integration of HDP/Ambari with Kerberos and LDAP

abajwa — Sat, 23 Jan 2016 09:02:32 GMT

+ @Jean-Philippe Player

Partner team have built some security workshops that show authentication, authorization, audit, encryption on HDP that might be helpful:

For IPA, see here for prebuilt VM and steps on single node. @David Streever updated here for multi-node
For OpenLDAP/KDC, we have similar steps here but they are not really integrated. I took another shot at this to better integrate the two and came up with the steps here but still needed to manually create principal in keytabs. Would be great to get this updated to a more complete solution (any volunteers?)
For demo purposes we also have Ambari services for KDC, OpenLDAP which can be installed either on existing cluster or brought up on new cluster (via blueprints). Steps for those provided here

Also note that in Ambari 2.2.0.0 onwards there is a feature to enable kerberos via blueprints (tech preview feature)

Re: Looking for an automated integration of HDP/Ambari with Kerberos and LDAP

gbraccialli3 — Sat, 23 Jan 2016 09:08:10 GMT

@Ali Bajwa

Doesnt Active Directory provide this full-integrated-and-automated way?

Re: Looking for an automated integration of HDP/Ambari with Kerberos and LDAP

abajwa — Sat, 23 Jan 2016 09:21:09 GMT

Yes both AD and IPA provide integrated KDC/LDAP experience which is great for most cases. The problem with FreeIPA is that Ambari doesn't natively support it yet (so you have to use manual option in security wizard where you have to manually create principals/distribute keytabs - JIRA has been logged on this). But every so often there are customers who require some corner case setup which doesn't work. Am guessing @Predrag Minovic is running into one of those

Re: Looking for an automated integration of HDP/Ambari with Kerberos and LDAP

pminovic — Mon, 25 Jan 2016 22:26:59 GMT

Hi @Ali Bajwa, thanks for chiming in. No special requirements except that KDC/LDAP run on RHEL Linux. Also, I don't mind wasting more time to install the solution but would like to provide sysadmin with easy-to-use UI to manage users and groups.

Re: Looking for an automated integration of HDP/Ambari with Kerberos and LDAP

aervits — Wed, 03 Feb 2016 02:09:20 GMT

@Predrag Minovic has this been resolved? Please accept best answer or provide your own solution.

Re: Looking for an automated integration of HDP/Ambari with Kerberos and LDAP

ewalk — Wed, 22 Jun 2016 01:53:32 GMT

AD is most definitely the easiest answer, unless you're morally opposed to it ;). You get integrated LDAP and KRB with nice user management tools. IPA does have some nice ootb features, though, around self service, etc.