Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Looking for an automated integration of HDP/Ambari with Kerberos and LDAP

Labels:
avatar
author-rank pminovic author-rank
Master Guru

Created ‎01-23-2016 12:23 AM

After upgrade to Ambari-2.1.2.1 (or 2.2.1) and HDP-2.3.x we are going to add Kerberos and LDAP to the cluster and we are looking for the best, automated solution. Both will run on a RHEL box but we can select components freely. What's the best way to go? I'm aware of

  • FreeIPA, exactly what we want except that it's not supported by Ambari. I don't mind using manual Kerberos wizard but in Ambari-2.1.2 there were some issues on clusters with manually installed Kerberos (like CSV files not appearing when adding new services, issues when adding new nodes etc).
  • KDC and OpenLDAP, KDC is fully supported from Ambari, but not aware of full integration of KDC and OpenLDAP, like when adding new users have to add them twice, once to OpenLDAP and then to KDC (possibly can use scripts).

Any help and ideas will be appreciated.

4,165 Views
1 ACCEPTED SOLUTION

avatar
author-rank abajwa author-rank
Guru

Created ‎01-23-2016 01:02 AM

+ @Jean-Philippe Player

Partner team have built some security workshops that show authentication, authorization, audit, encryption on HDP that might be helpful:

  1. For IPA, see here for prebuilt VM and steps on single node. @David Streever updated here for multi-node
  2. For OpenLDAP/KDC, we have similar steps here but they are not really integrated. I took another shot at this to better integrate the two and came up with the steps here but still needed to manually create principal in keytabs. Would be great to get this updated to a more complete solution (any volunteers?)
  3. For demo purposes we also have Ambari services for KDC, OpenLDAP which can be installed either on existing cluster or brought up on new cluster (via blueprints). Steps for those provided here

Also note that in Ambari 2.2.0.0 onwards there is a feature to enable kerberos via blueprints (tech preview feature)

View solution in original post

3,004 Views
10 REPLIES 10

avatar
author-rank nsabharwal
Master Mentor

Created ‎01-23-2016 12:27 AM

@Predrag Minovic

This is your best shot https://cwiki.apache.org/confluence/display/AMBARI/Automated+Kerberizaton

2,821 Views

avatar
author-rank nsabharwal
Master Mentor

Created ‎01-23-2016 12:31 AM

@Predrag Minovic I am assuming that you are looking for a way to automate the security integration.

This link has really nice content that you can help to meet the requirement ...Thanks to @Ali Bajwa

https://github.com/abajwa-hw/ambari-workshops/blob/master/blueprints-demo-security.md

2,821 Views
0 Kudos

avatar
author-rank pminovic author-rank
Master Guru

Created ‎01-23-2016 12:40 AM

Yes, we'd like to automate kereberization and provide the customer with an easy-to-use interface to manage users afterwards. I'm in touch and aware of great workshops by @Ali Bajwa but the KDC/OpenLDAP integration is not complete. Also aware of a great post about FreeIPA by @David Streever. And thanks for your super-express repsonse!

2,821 Views

avatar
author-rank nsabharwal
Master Mentor

Created ‎01-23-2016 12:55 AM

@Predrag Minovic Both of them are GEMS ...Now, take a look on this

http://docs.hortonworks.com/HDPDocuments/Ambari-2.2.0.0/bk_releasenotes_ambari_2.2.0.0/content/ambar...

Jira.

https://issues.apache.org/jira/browse/AMBARI-13431

2,821 Views
0 Kudos

avatar
author-rank abajwa author-rank
Guru

Created ‎01-23-2016 01:02 AM

+ @Jean-Philippe Player

Partner team have built some security workshops that show authentication, authorization, audit, encryption on HDP that might be helpful:

  1. For IPA, see here for prebuilt VM and steps on single node. @David Streever updated here for multi-node
  2. For OpenLDAP/KDC, we have similar steps here but they are not really integrated. I took another shot at this to better integrate the two and came up with the steps here but still needed to manually create principal in keytabs. Would be great to get this updated to a more complete solution (any volunteers?)
  3. For demo purposes we also have Ambari services for KDC, OpenLDAP which can be installed either on existing cluster or brought up on new cluster (via blueprints). Steps for those provided here

Also note that in Ambari 2.2.0.0 onwards there is a feature to enable kerberos via blueprints (tech preview feature)

3,005 Views

avatar
author-rank gbraccialli3
Guru

Created ‎01-23-2016 01:08 AM

@Ali Bajwa

Doesnt Active Directory provide this full-integrated-and-automated way?

2,821 Views

avatar
author-rank abajwa author-rank
Guru

Created ‎01-23-2016 01:21 AM

Yes both AD and IPA provide integrated KDC/LDAP experience which is great for most cases. The problem with FreeIPA is that Ambari doesn't natively support it yet (so you have to use manual option in security wizard where you have to manually create principals/distribute keytabs - JIRA has been logged on this). But every so often there are customers who require some corner case setup which doesn't work. Am guessing @Predrag Minovic is running into one of those

2,821 Views

avatar
author-rank ewalk
Rising Star

Created ‎06-21-2016 06:53 PM

AD is most definitely the easiest answer, unless you're morally opposed to it ;). You get integrated LDAP and KRB with nice user management tools. IPA does have some nice ootb features, though, around self service, etc.

2,821 Views
0 Kudos

avatar
author-rank pminovic author-rank
Master Guru

Created ‎01-25-2016 02:26 PM

Hi @Ali Bajwa, thanks for chiming in. No special requirements except that KDC/LDAP run on RHEL Linux. Also, I don't mind wasting more time to install the solution but would like to provide sysadmin with easy-to-use UI to manage users and groups.

2,821 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements