Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Is there a valid use case for activating Hadoop secure mode (Kerberos authentication), but not activating Hadoop HTTP authentication?

Labels:
avatar
author-rank cnauroth
Guru

Created on ‎10-29-2015 05:24 PM - edited ‎09-16-2022 02:46 AM

Activating Hadoop secure mode using Kerberos and activating Hadoop HTTP authentication using SPNEGO are separate configuration steps.

https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html

https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/HttpAuthentication.html

This means that it's possible to run a cluster with Kerberos authentication, but leave the HTTP endpoints unauthenticated.

Is there any valid use case for running in this configuration?

Enabling Kerberos authentication implies a desired for security hardening. Therefore, leaving the HTTP endpoints unauthenticated seems undesirable.

I have encountered clusters that had enabled Kerberos but had not enabled HTTP authentication. When I see this, I generally advise that the admins go back and configure HTTP authentication.

Am I missing a valid reason why an admin would want to keep running in this mode?

1,973 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank nsabharwal
Master Mentor

Created ‎10-29-2015 09:11 PM

@Chris Nauroth

Chris, It's completely based on the business requirement. Personally, I don't suggest for HTTP auth to my customer because compliance requirement requires minimum 2 factor authentication. Logging into Ambari using LDAP/AD credentials and then Kerberos takes care of it. Setting up HTTP auth for each web ui adds more work for admin/users to access web pages ( definitely not strong reason for not setting it up)

View solution in original post

1,621 Views
5 REPLIES 5

avatar
author-rank nsabharwal
Master Mentor

Created ‎10-29-2015 09:11 PM

@Chris Nauroth

Chris, It's completely based on the business requirement. Personally, I don't suggest for HTTP auth to my customer because compliance requirement requires minimum 2 factor authentication. Logging into Ambari using LDAP/AD credentials and then Kerberos takes care of it. Setting up HTTP auth for each web ui adds more work for admin/users to access web pages ( definitely not strong reason for not setting it up)

1,622 Views

avatar
author-rank cnauroth
Guru

Created ‎10-30-2015 09:27 PM

@Neeraj, thanks for the reply. In this kind of compliance environment, is there something more that is done to mitigate the lack of authentication on the HTTP servers? Are the HTTP ports firewalled off?

1,621 Views
0 Kudos

avatar
author-rank nsabharwal
Master Mentor

Created ‎10-30-2015 09:35 PM

If you are asking about iptables then iptables = on

port exceptions stays on or knox plays its charm.

1,621 Views

avatar
author-rank andrewg author-rank
Guru

Created ‎10-29-2015 10:28 PM

Chris,

Companies with strict security controls will require HTTP SPNEGO, however, they also must provide the infrastructure for the client. The biggest burden is setting up clients and browsers for Kerberized access.

The only reason Ambari doesn't do it automatically is dev resources - this is already tracked internally. Ideally, Ambari will have an enhanced security wizard and prompt a user if she wants to also secure Hadoop web UIs.

1,621 Views

avatar
author-rank cnauroth
Guru

Created ‎10-30-2015 09:30 PM

@Andrew Grande, thank you. I hadn't considered the IT challenges from the browser side.

1,621 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
View More Announcements