Support Questions
Find answers, ask questions, and share your expertise
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How to configure 2 factor authentication on Hadoop?


How to configure 2 factor authentication on Hadoop?

Hello Everyone,

We want to implement 2 factor authentication on Hortonworks cluster.

Currently we have configured Kerberos for AD authentication with username and password.

Does anybody have experience on multi factor authentication on hadoop? How can we integrate second factor authentication like RSA SecurID with Kerberos, and how can we configure the components like Hue, Knox, Webhdfs, hive, hdfs in order to provide 2 factor authentication with username, password and RSA SecurID token?

I think we need to configure pkinit/pam for this but I couldn't find any technical documentation.


Samet Karadag


Re: How to configure 2 factor authentication on Hadoop?


Hello @Samet Karadag,

In my Hadoop Security experience, I've not seen anyone using two factor authentication. Moreover support for RSA SecurID etc. is not part of Hadoop core as of now. Neither Knox has anything supported like this.

That closest match I can find is Hadoop-10959 A Kerberos based token authentication approach but that is good 1+ year old now. Maybe you can check Apache Kerby but I'm not sure if that is GA yet and I don't see much traction there.

@lmccay Do you have any idea on this?


Re: How to configure 2 factor authentication on Hadoop?


CC : @lmccay


Re: How to configure 2 factor authentication on Hadoop?


Hi Samet -

AFAIK there is no way to do this for most of the endpoints that you mention.

Knox does have SSO capabilities that would allow such an integration to be leveraged by any applications/UIs that participate in the KnoxSSO integration. Currently, Ranger and Ambari both support KnoxSSO. More participating applications will be coming online in future releases.

I have played around with a couple POCs of providers that would provide 2FA to KnoxSSO but there hasn't been anything committed yet. However, those would be specific solutions not just the ability to combine two different providers for 2FA. The one that leveraged the OpenID Connect capabilities of our pac4j provider for a solution from a company called privaKey.

Another approach would be leverage the PAM support that was added to Knox in the 0.10.0 Apache release. This would give you the ability to mix and match your 2 factors. This approach uses our Shiro authentication provider to integrate with the OS level authentication by delegating to PAM. For PAM docs see:

This would also give you 2FA for applications that participate in KnoxSSO as well as SSH, sudo and other CLI scenarios. Not sure how many of your desired endpoints would be met but it will probably get you the closest.




Re: How to configure 2 factor authentication on Hadoop?

Samet - Using Knox would be ideal. It could be approached in 2 ways:

  • a) SSO thanks to Knox support for it.
    • With this users continue to auth as they always have. Less integration points are needed. No additional authentication points. Less to maintain. Less to break
  • b) Alternatively, configure your directory system against 2FA, such that LDAP logins use 2-factor.
    • Example: Instead of a standard password, they enter "password + pin from 2f device".
    • With this Knox could still be the single point, but you could support any other services that have LDAP support.
    • This also means nothing special/extra is needed in Hadoop. Users use the system as they use other systems.

Apache Knox covers most of the services you mentioned:

  • SSO:
    • SAML 2.0 for SSO (as of HDP 2.5). Nearly all SSO systems support SAML.
  • Web UIs which Knox provides SSO for (as of HDP 2.5):
    • Ambari
    • Ranger
  • Services which Knox provides (as of HDP 2.5):
    • YARN
    • WebHDFS
    • WebHCat/Templeton
    • Oozie
    • HBase (Stargate REST API)
    • Hive (via WebHCat)
    • Hive (via JDBC)
    • Ambari API
    • Ranger API

For direct access to the cluster, use bastion hosts:

  • Typically SSH or Remote Desktop.
  • Authentication to those systems is configured for SSO
    • Many options here. Typically SSSD, Centrify, ...
    • These systems can automatically get the kerberos token on behalf of the user.
  • Then the user would use services as usual.
  • An alternative is to use VPN or SSH-tunnel with 2-factor to gain network access to the cluster. Then the user would need a kerberos token, but the 2-factor level of access is provided at the network layer.


  • Appears to support SAML for SSO.
  • Could use the LDAP method mentioned earlier.
  • Keep in mind that Hue is not an Apache-community project. It's not maintained by Hortonworks or the open community.


-- Sean Roberts @seano


Re: How to configure 2 factor authentication on Hadoop?

Hi Sean,

Thank you so much for your answer.

As much as I understand we can integrate KnoxSSO only with Okta which is a web based solution. Am I right?

Do you know whether Okta has a solution in which we can install and configure okta in private data center?

And another thing is since Knox does not support Hue, it is not possible to provide 2FA for Hue, right?

Re: How to configure 2 factor authentication on Hadoop?

I've updated the answer with this detail: For SSO, Knox supports SAML 2.0. Any SAML provider should work, including RSA SecurID.

Hue appears to support SAML for SSO (see answer for link)


Re: How to configure 2 factor authentication on Hadoop?

Thank you so much Sean, now SAML integration is much clear for me.

"b" alternative seems very interesting. I couldn't find any reference document in which people enters LDAP password concatenated with pin in the password field. All the documents I found, says that after LDAP login with username and password, Windows or some Azure application will ask for the second factor.(like this page)

It will be great if you can share a reference link?


Re: How to configure 2 factor authentication on Hadoop?

Samet - Yes, the concatenated method is just something I've seen implemented. I don't know which directory system and how it was configured.

Don't have an account?
Coming from Hortonworks? Activate your account here