Support Questions

Find answers, ask questions, and share your expertise

Is there a valid use case for activating Hadoop secure mode (Kerberos authentication), but not activating Hadoop HTTP authentication?

avatar

Activating Hadoop secure mode using Kerberos and activating Hadoop HTTP authentication using SPNEGO are separate configuration steps.

https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html

https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/HttpAuthentication.html

This means that it's possible to run a cluster with Kerberos authentication, but leave the HTTP endpoints unauthenticated.

Is there any valid use case for running in this configuration?

Enabling Kerberos authentication implies a desired for security hardening. Therefore, leaving the HTTP endpoints unauthenticated seems undesirable.

I have encountered clusters that had enabled Kerberos but had not enabled HTTP authentication. When I see this, I generally advise that the admins go back and configure HTTP authentication.

Am I missing a valid reason why an admin would want to keep running in this mode?

1 ACCEPTED SOLUTION

avatar
Master Mentor

@Chris Nauroth

Chris, It's completely based on the business requirement. Personally, I don't suggest for HTTP auth to my customer because compliance requirement requires minimum 2 factor authentication. Logging into Ambari using LDAP/AD credentials and then Kerberos takes care of it. Setting up HTTP auth for each web ui adds more work for admin/users to access web pages ( definitely not strong reason for not setting it up)

View solution in original post

5 REPLIES 5

avatar
Master Mentor

@Chris Nauroth

Chris, It's completely based on the business requirement. Personally, I don't suggest for HTTP auth to my customer because compliance requirement requires minimum 2 factor authentication. Logging into Ambari using LDAP/AD credentials and then Kerberos takes care of it. Setting up HTTP auth for each web ui adds more work for admin/users to access web pages ( definitely not strong reason for not setting it up)

avatar

@Neeraj, thanks for the reply. In this kind of compliance environment, is there something more that is done to mitigate the lack of authentication on the HTTP servers? Are the HTTP ports firewalled off?

avatar
Master Mentor

If you are asking about iptables then iptables = on

port exceptions stays on or knox plays its charm.

avatar

Chris,

Companies with strict security controls will require HTTP SPNEGO, however, they also must provide the infrastructure for the client. The biggest burden is setting up clients and browsers for Kerberized access.

The only reason Ambari doesn't do it automatically is dev resources - this is already tracked internally. Ideally, Ambari will have an enhanced security wizard and prompt a user if she wants to also secure Hadoop web UIs.

avatar

@Andrew Grande, thank you. I hadn't considered the IT challenges from the browser side.