Support Questions

Is that really true? You can use the LDAP interface for all frontends and you I think can even do Linux->AD integration using LDAP as well. https://technet.microsoft.com/en-us/magazine/2008.12.linux.aspx#id0060006 I totally agree with you that this doesn't make sense but it should theoretically work I would think.

@Benjamin Leonhardi LDAP is not authentication, it is for user management, group management, etc. Kerberos is what provides the authentication piece (I am who I say I am). If you integrate with LDAP for users, you can still impersonate a user because you don't have to actually go through an authentication process.

@emaxwellLDAP would provide the authentication for linux, ambari, Hive, hue etc. What it wouldn't cover would provide authentication for the native apis that is correct. But if you work in an environment where you basically trust the users and don't have too sensitive data i.e. you just want to make sure they don't accidentally do something bad ( like in a scientific environment ) its definitely still a possibility.

As a general statement this is not right by any means. LDAP provides secure and encrypted authentication (encrypted user password and SSL/TLS communication) , together with user/group management. It's only the Hadoop stack does not support this and the two only autentication methods implemented for all the CDP components are the dummy simple auth (described above) and the Kerberos authentication (used in combination with PAM or LDAP for user/group mappings).

As an example, nothing less than Knox (the security gateway to HDP or CDP) implements full authenticacion using only LDAP (with TLS), and it only relies on Kerberos to authenticate a single service/proxy user to communicate with the rest of the cluster.