Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Looking for an automated integration of HDP/Ambari with Kerberos and LDAP

avatar
Master Guru

After upgrade to Ambari-2.1.2.1 (or 2.2.1) and HDP-2.3.x we are going to add Kerberos and LDAP to the cluster and we are looking for the best, automated solution. Both will run on a RHEL box but we can select components freely. What's the best way to go? I'm aware of

  • FreeIPA, exactly what we want except that it's not supported by Ambari. I don't mind using manual Kerberos wizard but in Ambari-2.1.2 there were some issues on clusters with manually installed Kerberos (like CSV files not appearing when adding new services, issues when adding new nodes etc).
  • KDC and OpenLDAP, KDC is fully supported from Ambari, but not aware of full integration of KDC and OpenLDAP, like when adding new users have to add them twice, once to OpenLDAP and then to KDC (possibly can use scripts).

Any help and ideas will be appreciated.

1 ACCEPTED SOLUTION

avatar

+ @Jean-Philippe Player

Partner team have built some security workshops that show authentication, authorization, audit, encryption on HDP that might be helpful:

  1. For IPA, see here for prebuilt VM and steps on single node. @David Streever updated here for multi-node
  2. For OpenLDAP/KDC, we have similar steps here but they are not really integrated. I took another shot at this to better integrate the two and came up with the steps here but still needed to manually create principal in keytabs. Would be great to get this updated to a more complete solution (any volunteers?)
  3. For demo purposes we also have Ambari services for KDC, OpenLDAP which can be installed either on existing cluster or brought up on new cluster (via blueprints). Steps for those provided here

Also note that in Ambari 2.2.0.0 onwards there is a feature to enable kerberos via blueprints (tech preview feature)

View solution in original post

10 REPLIES 10

avatar
Master Mentor

avatar
Master Mentor

@Predrag Minovic I am assuming that you are looking for a way to automate the security integration.

This link has really nice content that you can help to meet the requirement ...Thanks to @Ali Bajwa

https://github.com/abajwa-hw/ambari-workshops/blob/master/blueprints-demo-security.md

avatar
Master Guru

Yes, we'd like to automate kereberization and provide the customer with an easy-to-use interface to manage users afterwards. I'm in touch and aware of great workshops by @Ali Bajwa but the KDC/OpenLDAP integration is not complete. Also aware of a great post about FreeIPA by @David Streever. And thanks for your super-express repsonse!

avatar
Master Mentor

avatar

+ @Jean-Philippe Player

Partner team have built some security workshops that show authentication, authorization, audit, encryption on HDP that might be helpful:

  1. For IPA, see here for prebuilt VM and steps on single node. @David Streever updated here for multi-node
  2. For OpenLDAP/KDC, we have similar steps here but they are not really integrated. I took another shot at this to better integrate the two and came up with the steps here but still needed to manually create principal in keytabs. Would be great to get this updated to a more complete solution (any volunteers?)
  3. For demo purposes we also have Ambari services for KDC, OpenLDAP which can be installed either on existing cluster or brought up on new cluster (via blueprints). Steps for those provided here

Also note that in Ambari 2.2.0.0 onwards there is a feature to enable kerberos via blueprints (tech preview feature)

avatar

@Ali Bajwa

Doesnt Active Directory provide this full-integrated-and-automated way?

avatar

Yes both AD and IPA provide integrated KDC/LDAP experience which is great for most cases. The problem with FreeIPA is that Ambari doesn't natively support it yet (so you have to use manual option in security wizard where you have to manually create principals/distribute keytabs - JIRA has been logged on this). But every so often there are customers who require some corner case setup which doesn't work. Am guessing @Predrag Minovic is running into one of those

avatar
Rising Star

AD is most definitely the easiest answer, unless you're morally opposed to it ;). You get integrated LDAP and KRB with nice user management tools. IPA does have some nice ootb features, though, around self service, etc.

avatar
Master Guru

Hi @Ali Bajwa, thanks for chiming in. No special requirements except that KDC/LDAP run on RHEL Linux. Also, I don't mind wasting more time to install the solution but would like to provide sysadmin with easy-to-use UI to manage users and groups.