Support Questions

kbrodie · ‎09-26-2016

This is probably a dumb question. So, I have Ranger talking to our active directory for users in our HDP 2.4 environment. Awesome! And while I am able to (for example) connect to an HDFS object via CURL, and actually see policies work (correct user, or invalid user)... I have no idea how to force ranger to require a PASSWORD for these requests? I can apparently connect to stuff simply by specifying the user, and no password.

Am I being dumb here.. is this where I need KNOX to talk to my AD instead of ranger? Sorry for my confusion on this, ANY help appreciated.

slachterman · ‎09-26-2016

Hi @Kent Brodie, it's important to distinguish authentication and authorization in security discussions. Ranger manages the authorization aspect of security, assuring that users have compliant access policies defined for the assets to which they require access.

Authentication--proving that user identity is genuine--is not managed by Ranger. In secured clusters, authentication is managed via Kerberos, via integration with Active Directory (or another Kerberos implementation such as MIT-KDC, etc.). Users authenticate to their KDC, obtaining a ticket-granting ticket or TGT, and present this TGT to the various Hadoop services in order to prove their identity, that they are who they say they are. Ranger uses this identity--proven to be genuine by the Kerberos protocol--in its mapping of policies to assets.

Yes, you are on the right track in thinking about Knox. Knox is a gateway to your secured Hadoop services, and can be a centralized point for enforcement of authentication. By integrating Knox and your AD infrastructure, you can enforce authorization at this gateway to the cluster services.

Please let us know what further questions you have.

View solution in original post

slachterman · ‎09-26-2016

Hi @Kent Brodie, it's important to distinguish authentication and authorization in security discussions. Ranger manages the authorization aspect of security, assuring that users have compliant access policies defined for the assets to which they require access.

Authentication--proving that user identity is genuine--is not managed by Ranger. In secured clusters, authentication is managed via Kerberos, via integration with Active Directory (or another Kerberos implementation such as MIT-KDC, etc.). Users authenticate to their KDC, obtaining a ticket-granting ticket or TGT, and present this TGT to the various Hadoop services in order to prove their identity, that they are who they say they are. Ranger uses this identity--proven to be genuine by the Kerberos protocol--in its mapping of policies to assets.

Yes, you are on the right track in thinking about Knox. Knox is a gateway to your secured Hadoop services, and can be a centralized point for enforcement of authentication. By integrating Knox and your AD infrastructure, you can enforce authorization at this gateway to the cluster services.

Please let us know what further questions you have.

kbrodie · ‎09-26-2016

Awesome. OK, that's what I thought- I appreciate the quick reply (!). The documentation on all of this stuff out there isn't super clear for us newbies in this space 🙂

slachterman · ‎09-26-2016

No problem @Kent Brodie, please feel free to upvote and/or accept helpful answers.

Cloudera Community

Support Questions

How to tell ranger to require passwords for plugins / services?