Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Can someone explain with example difference between Knox with Ldap and Kerberos ?

SOLVED Go to solution
Highlighted

Can someone explain with example difference between Knox with Ldap and Kerberos ?

Guru

Can someone explain with example difference between Knox with Ldap and Kerberos ?I read following article but could not understand clearly.
https://community.hortonworks.com/questions/62130/difference-between-apache-knox-and-kerberos.html

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Can someone explain with example difference between Knox with Ldap and Kerberos ?

Expert Contributor

@Saurabh

Knox communicates with the LDAP server to verify that the credentials you have provided are the same credentials that the LDAP server has stored (username/password). After that process is complete, Knox now knows that it can trust you since it has authenticated you.

However, the HDP cluster now needs to authenticate the Knox service to make sure it can be trusted to send commands to the various services inside the cluster. After all any machine could pose to be a Knox edge node. Therefore, Knox then goes through the authentication process with Kerberos using a shared secret called a keytab. This keytab file can only be found on the Knox node that has been configured to connect to the cluster, so this prevents impersonation.

After Knox authenticates into the cluster successfully, all communications between Knox and the cluster are encrypted, providing security for data in-transit/on-the-wire.

3 REPLIES 3

Re: Can someone explain with example difference between Knox with Ldap and Kerberos ?

Expert Contributor

@Saurabh

Knox communicates with the LDAP server to verify that the credentials you have provided are the same credentials that the LDAP server has stored (username/password). After that process is complete, Knox now knows that it can trust you since it has authenticated you.

However, the HDP cluster now needs to authenticate the Knox service to make sure it can be trusted to send commands to the various services inside the cluster. After all any machine could pose to be a Knox edge node. Therefore, Knox then goes through the authentication process with Kerberos using a shared secret called a keytab. This keytab file can only be found on the Knox node that has been configured to connect to the cluster, so this prevents impersonation.

After Knox authenticates into the cluster successfully, all communications between Knox and the cluster are encrypted, providing security for data in-transit/on-the-wire.

Re: Can someone explain with example difference between Knox with Ldap and Kerberos ?

Guru

thanks a lot @anarasimham. Can you please give an example or explain me how any machine can pose to be a Knox edge node ?

Re: Can someone explain with example difference between Knox with Ldap and Kerberos ?

Expert Contributor

You can configure a machine to be a Knox edge node by installing Knox on it and blocking access to the rest of the nodes in your cluster via firewall rules. The only part of your cluster that will be accessible externally (by end users) is the Knox port on the edge node(s) you setup.

Knox will first authenticate the user, and after successful authentication forward the user's request to the appropriate node in the cluster for processing.