Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Can someone explain with example difference between Knox with Ldap and Kerberos ?

avatar
Guru

Can someone explain with example difference between Knox with Ldap and Kerberos ?I read following article but could not understand clearly.
https://community.hortonworks.com/questions/62130/difference-between-apache-knox-and-kerberos.html

1 ACCEPTED SOLUTION

avatar
Super Collaborator

@Saurabh

Knox communicates with the LDAP server to verify that the credentials you have provided are the same credentials that the LDAP server has stored (username/password). After that process is complete, Knox now knows that it can trust you since it has authenticated you.

However, the HDP cluster now needs to authenticate the Knox service to make sure it can be trusted to send commands to the various services inside the cluster. After all any machine could pose to be a Knox edge node. Therefore, Knox then goes through the authentication process with Kerberos using a shared secret called a keytab. This keytab file can only be found on the Knox node that has been configured to connect to the cluster, so this prevents impersonation.

After Knox authenticates into the cluster successfully, all communications between Knox and the cluster are encrypted, providing security for data in-transit/on-the-wire.

View solution in original post

3 REPLIES 3

avatar
Super Collaborator

@Saurabh

Knox communicates with the LDAP server to verify that the credentials you have provided are the same credentials that the LDAP server has stored (username/password). After that process is complete, Knox now knows that it can trust you since it has authenticated you.

However, the HDP cluster now needs to authenticate the Knox service to make sure it can be trusted to send commands to the various services inside the cluster. After all any machine could pose to be a Knox edge node. Therefore, Knox then goes through the authentication process with Kerberos using a shared secret called a keytab. This keytab file can only be found on the Knox node that has been configured to connect to the cluster, so this prevents impersonation.

After Knox authenticates into the cluster successfully, all communications between Knox and the cluster are encrypted, providing security for data in-transit/on-the-wire.

avatar
Guru

thanks a lot @anarasimham. Can you please give an example or explain me how any machine can pose to be a Knox edge node ?

avatar
Super Collaborator

You can configure a machine to be a Knox edge node by installing Knox on it and blocking access to the rest of the nodes in your cluster via firewall rules. The only part of your cluster that will be accessible externally (by end users) is the Knox port on the edge node(s) you setup.

Knox will first authenticate the user, and after successful authentication forward the user's request to the appropriate node in the cluster for processing.