Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Can ranger work with AD without Kerberos?

Solved Go to solution

Can ranger work with AD without Kerberos?

New Contributor

Hi,

I am trying to use AD for ranger usersync and authentication but without Kerberos. Does that work?

Also, does ranger groupsync with AD work without setting the Hadoop AD Group mapping as mentioned in ?

http://docs.hortonworks.com/HDPDocuments/Ambari-2.2.0.0/bk_Ambari_Security_Guide/content/setting_up_...

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Can ranger work with AD without Kerberos?

@Madhavi Amirneni . You are trying to use AD as a simple LDAP. This works . Ranger without Kerberos is not of much use. The best practice for securing Hadoop cluster is to Kerberize the cluster first and then enable ranger.

As an example, How you can bypass the Authorization without Authentication.

usseradd baduser

su - baduser

whoami - confirm you are baduser, who has no special access or group memberships.

hdfs dfs -ls /user/

You should get a directory listing

hdfs dfs /user/ambari-qa

hdfs dfs -ls /user/ambari-qa

You should get denied as ambari-qa doesnt have world read permission.

HADOOP_USER_NAME=hdfs ===> Now Impersonating as hdfs user.

hdfs dfs -ls /user/ambari-qa

you should get into the directory . Now you just hacked HDFS!!!

You could potentiall do.

hdfs dfs rm -r / and delete all the data!!!!!!!

This why authorization without authentication is not of much help.! . This why you need KERBEROS.

Hope this helps.

6 REPLIES 6

Re: Can ranger work with AD without Kerberos?

If you want to use AD for authentication, you have to use Kerberos. That is the facility for authentication that AD provides. Group sync will work without setting the group mapping, but that means that the O/S groups and AD groups will not be in sync.

Re: Can ranger work with AD without Kerberos?

Is that really true? You can use the LDAP interface for all frontends and you I think can even do Linux->AD integration using LDAP as well. https://technet.microsoft.com/en-us/magazine/2008.12.linux.aspx#id0060006 I totally agree with you that this doesn't make sense but it should theoretically work I would think.

Re: Can ranger work with AD without Kerberos?

@Benjamin Leonhardi LDAP is not authentication, it is for user management, group management, etc. Kerberos is what provides the authentication piece (I am who I say I am). If you integrate with LDAP for users, you can still impersonate a user because you don't have to actually go through an authentication process.

Re: Can ranger work with AD without Kerberos?

@emaxwellLDAP would provide the authentication for linux, ambari, Hive, hue etc. What it wouldn't cover would provide authentication for the native apis that is correct. But if you work in an environment where you basically trust the users and don't have too sensitive data i.e. you just want to make sure they don't accidentally do something bad ( like in a scientific environment ) its definitely still a possibility.

Re: Can ranger work with AD without Kerberos?

Expert Contributor

It works. But is it secure? No. Unauthorized impersonation is the biggest problem in the cluster. With Kerberos you won't have this problem. When you run the sync command from the linux box, you need to have a user principal that can get kerberos tickets for authN. AD Group Mapping must be in sync with OS/HDFS to ensure consistent authZ across components.

Highlighted

Re: Can ranger work with AD without Kerberos?

@Madhavi Amirneni . You are trying to use AD as a simple LDAP. This works . Ranger without Kerberos is not of much use. The best practice for securing Hadoop cluster is to Kerberize the cluster first and then enable ranger.

As an example, How you can bypass the Authorization without Authentication.

usseradd baduser

su - baduser

whoami - confirm you are baduser, who has no special access or group memberships.

hdfs dfs -ls /user/

You should get a directory listing

hdfs dfs /user/ambari-qa

hdfs dfs -ls /user/ambari-qa

You should get denied as ambari-qa doesnt have world read permission.

HADOOP_USER_NAME=hdfs ===> Now Impersonating as hdfs user.

hdfs dfs -ls /user/ambari-qa

you should get into the directory . Now you just hacked HDFS!!!

You could potentiall do.

hdfs dfs rm -r / and delete all the data!!!!!!!

This why authorization without authentication is not of much help.! . This why you need KERBEROS.

Hope this helps.