We want to implement 2 factor authentication on Hortonworks cluster.
Currently we have configured Kerberos for AD authentication with username and password.
Does anybody have experience on multi factor authentication on hadoop? How can we integrate second factor authentication like RSA SecurID with Kerberos, and how can we configure the components like Hue, Knox, Webhdfs, hive, hdfs in order to provide 2 factor authentication with username, password and RSA SecurID token?
I think we need to configure pkinit/pam for this but I couldn't find any technical documentation.
Hello @Samet Karadag,
In my Hadoop Security experience, I've not seen anyone using two factor authentication. Moreover support for RSA SecurID etc. is not part of Hadoop core as of now. Neither Knox has anything supported like this.
That closest match I can find is Hadoop-10959 A Kerberos based token authentication approach but that is good 1+ year old now. Maybe you can check Apache Kerby but I'm not sure if that is GA yet and I don't see much traction there.
@lmccay Do you have any idea on this?
Hi Samet -
AFAIK there is no way to do this for most of the endpoints that you mention.
Knox does have SSO capabilities that would allow such an integration to be leveraged by any applications/UIs that participate in the KnoxSSO integration. Currently, Ranger and Ambari both support KnoxSSO. More participating applications will be coming online in future releases.
I have played around with a couple POCs of providers that would provide 2FA to KnoxSSO but there hasn't been anything committed yet. However, those would be specific solutions not just the ability to combine two different providers for 2FA. The one that leveraged the OpenID Connect capabilities of our pac4j provider for a solution from a company called privaKey.
Another approach would be leverage the PAM support that was added to Knox in the 0.10.0 Apache release. This would give you the ability to mix and match your 2 factors. This approach uses our Shiro authentication provider to integrate with the OS level authentication by delegating to PAM. For PAM docs see: http://knox.apache.org/books/knox-0-10-0/user-guide.html#PAM+based+Authentication.
This would also give you 2FA for applications that participate in KnoxSSO as well as SSH, sudo and other CLI scenarios. Not sure how many of your desired endpoints would be met but it will probably get you the closest.
Samet - Using Knox would be ideal. It could be approached in 2 ways:
Apache Knox covers most of the services you mentioned:
For direct access to the cluster, use bastion hosts:
-- Sean Roberts @seano
Thank you so much for your answer.
As much as I understand we can integrate KnoxSSO only with Okta which is a web based solution. Am I right?
Do you know whether Okta has a solution in which we can install and configure okta in private data center?
And another thing is since Knox does not support Hue, it is not possible to provide 2FA for Hue, right?
Thank you so much Sean, now SAML integration is much clear for me.
"b" alternative seems very interesting. I couldn't find any reference document in which people enters LDAP password concatenated with pin in the password field. All the documents I found, says that after LDAP login with username and password, Windows or some Azure application will ask for the second factor.(like this page)
It will be great if you can share a reference link?
Samet - Yes, the concatenated method is just something I've seen implemented. I don't know which directory system and how it was configured.