Can anyone please explain me how Knox handover user information to Ranger, so that Ranger can apply it's policies on that particular user? based on user's group ( i believe Ranger pulls the user group using SSSD from AD).
Here is brief summary:
We are building 250+ node HDP Cluster at my work place and we have already implemented Kerberos and integrated with AD and established one way trust with local KDC, before that we have completed several steps (for joining our HDP nodes with AD using SSSD), we also added two knox gateway servers for perimeter security and we got a LB infront of Knox GW Servers and for authorization, we got Ranger. We have added LDAP/AD for authenticating Knox users. My question is:
1. Once Knox receives a request, it will be authenticated by LDAP. (i believe user login/pwd information is included in the URL, we have implemented SSL). Once Authenticated, then knox uses, user "knox" with Keytab to get TGT from Kerberos, right?
My question here is: Where do we mention this one? (what properties, we should define to inform, Knox, to use "knox" user to go to local KDC for getting TGT.
2. Once Knox gets "TGT", suppose, user is trying to access a Hive DB, then, his request will be validated in Ranger (for authorization right? , at this point, Ranger retrieves "original User" information from the request and pulls the Group Information from AD using SSSD to validate the permissions for that user right? -> My question here is: how Ranger retrieves that User details? (what confuses me is: it gets "TGT" using "knox user", but when request goes to Ranger, how ranger retrieves that user details? --> Where is this configuration? (@ Properties? where we define this?)
3. When it goes to Ranger: How ranger pulls the Group details, belongs to that particular User? (is that through LDAP Sync) --> where do we define Properties to inform Ranger to pull the Group Details from AD using SSSD?
I completely follow the overall flow, but i am actually looking the exact parameters (or) properties, for these connections.
BTW, i read the documentation, but still didn't find the exact linking properties.
I greatly appreciate your time and response. (If possible please explain in detail).
Knox's current method for authenticating all users is to configure shiro provider for LDAP authentication. This configured topology provides the users and groups that the ranger plugin will need to authorize against.
1. Knox by defaults handles all kerberos for you out of the box when you install the service. The knox user will proxy as the user you have authenticated with. (Make sure you setup your knox proxy settings in core-site.xml hadoop configuration so that knox can impersonate incoming users)
2. The knox ranger plugin handles this from the knox ldap topology configuration you have setup providing it with the user and group information. If the user and group information is not setup correctly you will have ranger issues such as the following. https://community.hortonworks.com/articles/38348/ranger-is-not-allowing-access-to-knox-resources-wh....
3. If you are configuring for AD I would recommend that you use the following template in your knox topology and fill it out according to your environment
Notice the comments in the xml in the link above shows the proper parameters for configuring user/group information.
<!-- AD groups of users to allow --> <param> <name>main.ldapRealm.searchBase</name> <value>ou=CorpUsers,dc=lab,dc=hortonworks,dc=net</value> </param> <param> <name>main.ldapRealm.userObjectClass</name> <value>person</value> </param> <param> <name>main.ldapRealm.userSearchAttributeName</name> <value>sAMAccountName</value> </param> <!-- changes needed for group sync--> <param> <name>main.ldapRealm.authorizationEnabled</name> <value>true</value> </param> <param> <name>main.ldapRealm.groupSearchBase</name> <value>ou=CorpUsers,dc=lab,dc=hortonworks,dc=net</value> </param> <param> <name>main.ldapRealm.groupObjectClass</name> <value>group</value> </param> <param> <name>main.ldapRealm.groupIdAttribute</name> <value>cn</value> </param>