Reply
AKB
Explorer
Posts: 44
Registered: ‎04-11-2018

Enable SSL for CDH 5.15 Cluster

I am trying to enable SSL for all nodes and services in the cluster. How can I do this? Can someone please point me to some concise documentation where I can do this quickly and safely. Bit confused about Sentry and how it plays into authorization etc. Thanks.

Master
Posts: 326
Registered: ‎07-01-2015

Re: Enable SSL for CDH 5.15 Cluster

This is a little bit long but very good and detailed step-by-step documentation https://www.cloudera.com/documentation/enterprise/5-15-x/topics/cm_sg_hadoop_ssl_cm.html
Highlighted
Posts: 934
Topics: 1
Kudos: 218
Solutions: 117
Registered: ‎04-22-2014

Re: Enable SSL for CDH 5.15 Cluster

@AKB,

 

In CM 6, we introduce auto-tls that might be of interest to you if you are setting up a new cluster:

 

https://www.cloudera.com/documentation/enterprise/latest/topics/auto_tls.html

 

In CM 5, configuring TLS is a manual process that can take a good amount of time.  The documentation link provided before should help, but if you are new to TLS, PKI, etc. it may take a while to get everything done.

 

As for Sentry, you can start reading here:

 

https://www.cloudera.com/documentation/enterprise/5-15-x/topics/sentry_intro.html

AKB
Explorer
Posts: 44
Registered: ‎04-11-2018

Re: Enable SSL for CDH 5.15 Cluster

[ Edited ]

Is Kerberos authentication mandatory before setting up SSL on Hadoop nodes?


Also, moving to CDH 6 is not an option for us at the moment.

Master
Posts: 326
Registered: ‎07-01-2015

Re: Enable SSL for CDH 5.15 Cluster

It does not make sense to enable SSL when you dont have Kerberos. Because
typically the reason for SSL is to protect the data (on the fly). Without
kerberos and with SSL anybody can access your data in hadoop if they have
access to the network of the cluster.


Posts: 934
Topics: 1
Kudos: 218
Solutions: 117
Registered: ‎04-22-2014

Re: Enable SSL for CDH 5.15 Cluster

@AKB,

 

SSL and Kerberos can be configured independently and do not depend on one another functionally.

 

It is recommended to use a mixture of both to ensure you can restrict access to your cluster via authentication/authorization and then also TLS (SSL) you protect against snooping your data over the wire.

 

 

AKB
Explorer
Posts: 44
Registered: ‎04-11-2018

Re: Enable SSL for CDH 5.15 Cluster

What if I needed to setup SSL only and then use our corporate SSO mechanism for authentication? Any hints on that?

Posts: 934
Topics: 1
Kudos: 218
Solutions: 117
Registered: ‎04-22-2014

Re: Enable SSL for CDH 5.15 Cluster

@AKB,

 

If by SSO you mean SAML, then that would only apply to external access points in UIs:  Cloudera Manager, Hue, and Navigator.  You still need Kerberos for internals such as HDFS and YARN for instance.

 

Maybe if you can clarify what you are planning for security in your environment we can help answer more specific questions.

 

 

AKB
Explorer
Posts: 44
Registered: ‎04-11-2018

Re: Enable SSL for CDH 5.15 Cluster

Can one SSL certificate be used on all nodes of the cluster? Sorry for the questions, I am not familiar with doing this. 

Master
Posts: 326
Registered: ‎07-01-2015

Re: Enable SSL for CDH 5.15 Cluster

No, it cant, because the fqdn of the host is in the certificate
Announcements