10-16-2018 07:32 AM
I am trying to enable SSL for all nodes and services in the cluster. How can I do this? Can someone please point me to some concise documentation where I can do this quickly and safely. Bit confused about Sentry and how it plays into authorization etc. Thanks.
10-17-2018 08:13 AM
10-17-2018 08:56 AM
In CM 6, we introduce auto-tls that might be of interest to you if you are setting up a new cluster:
In CM 5, configuring TLS is a manual process that can take a good amount of time. The documentation link provided before should help, but if you are new to TLS, PKI, etc. it may take a while to get everything done.
As for Sentry, you can start reading here:
10-19-2018 09:34 AM - edited 10-19-2018 09:35 AM
Is Kerberos authentication mandatory before setting up SSL on Hadoop nodes?
Also, moving to CDH 6 is not an option for us at the moment.
10-19-2018 09:38 AM
10-19-2018 09:44 AM
SSL and Kerberos can be configured independently and do not depend on one another functionally.
It is recommended to use a mixture of both to ensure you can restrict access to your cluster via authentication/authorization and then also TLS (SSL) you protect against snooping your data over the wire.
10-19-2018 12:08 PM
If by SSO you mean SAML, then that would only apply to external access points in UIs: Cloudera Manager, Hue, and Navigator. You still need Kerberos for internals such as HDFS and YARN for instance.
Maybe if you can clarify what you are planning for security in your environment we can help answer more specific questions.