Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Can someone explain with example difference between Knox with Ldap and Kerberos ?

Labels:
avatar
author-rank SK1
Guru

Created ‎10-20-2017 04:18 PM

Can someone explain with example difference between Knox with Ldap and Kerberos ?I read following article but could not understand clearly.
https://community.hortonworks.com/questions/62130/difference-between-apache-knox-and-kerberos.html

2,476 Views
1 ACCEPTED SOLUTION

avatar
author-rank anarasimham author-rank
Super Collaborator

Created ‎10-20-2017 08:53 PM

@Saurabh

Knox communicates with the LDAP server to verify that the credentials you have provided are the same credentials that the LDAP server has stored (username/password). After that process is complete, Knox now knows that it can trust you since it has authenticated you.

However, the HDP cluster now needs to authenticate the Knox service to make sure it can be trusted to send commands to the various services inside the cluster. After all any machine could pose to be a Knox edge node. Therefore, Knox then goes through the authentication process with Kerberos using a shared secret called a keytab. This keytab file can only be found on the Knox node that has been configured to connect to the cluster, so this prevents impersonation.

After Knox authenticates into the cluster successfully, all communications between Knox and the cluster are encrypted, providing security for data in-transit/on-the-wire.

View solution in original post

2,100 Views
3 REPLIES 3

avatar
author-rank anarasimham author-rank
Super Collaborator

Created ‎10-20-2017 08:53 PM

@Saurabh

Knox communicates with the LDAP server to verify that the credentials you have provided are the same credentials that the LDAP server has stored (username/password). After that process is complete, Knox now knows that it can trust you since it has authenticated you.

However, the HDP cluster now needs to authenticate the Knox service to make sure it can be trusted to send commands to the various services inside the cluster. After all any machine could pose to be a Knox edge node. Therefore, Knox then goes through the authentication process with Kerberos using a shared secret called a keytab. This keytab file can only be found on the Knox node that has been configured to connect to the cluster, so this prevents impersonation.

After Knox authenticates into the cluster successfully, all communications between Knox and the cluster are encrypted, providing security for data in-transit/on-the-wire.

2,101 Views

avatar
author-rank SK1
Guru

Created ‎10-22-2017 10:50 AM

thanks a lot @anarasimham. Can you please give an example or explain me how any machine can pose to be a Knox edge node ?

2,100 Views
0 Kudos

avatar
author-rank anarasimham author-rank
Super Collaborator

Created ‎10-23-2017 12:16 PM

You can configure a machine to be a Knox edge node by installing Knox on it and blocking access to the rest of the nodes in your cluster via firewall rules. The only part of your cluster that will be accessible externally (by end users) is the Knox port on the edge node(s) you setup.

Knox will first authenticate the user, and after successful authentication forward the user's request to the appropriate node in the cluster for processing.

2,100 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements