Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Need help on implementing 2 factor authentication on Hadoop

Need help on implementing 2 factor authentication on Hadoop

New Contributor

Hello,

We want to implement 2 factor authentication on Hadoop cluster.

Currently we have configured Kerberos for AD authentication with username and password.

Does anybody have experience on multi factor authentication on hadoop? How can we integrate second factor authentication like RSA SecurID with Kerberos, and how can we configure the components like Hue, hive, hdfs or any additional component which needs to be configured, in order to provide 2 factor authentication with username, password and RSA SecurID token?

I think we need to configure pkinit/pam for this but I couldn't find any technical documentation.

Thanks,

Samet Karadag

2 REPLIES 2
Highlighted

Re: Need help on implementing 2 factor authentication on Hadoop

Cloudera Employee
Hi SametKaradag,

I'm not sure I understand how you want this to work. I've never tried, but I believe you're right that you'll need to do this on the Kerberos side. If you can separate the Hadoop SPN-s to allow them to log in using keytabs without MFA, it should work fine. The services should work properly if the user can authenticate themselves against Kerberos with their passwords and SecurIDs.

Re: Need help on implementing 2 factor authentication on Hadoop

New Contributor

Hi, so have you managed to implement MFA with Cloudera manager? From what I have researched you would have to use some 3rd party apps like: SAASPASS or Centrify as Cloudera does not appear to be able to deal with MFA authentication. 

It can only do those:

https://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_external_auth.html#cmug_topic_...

Please kindly share your findings if you have managed to achieve this. I will keep researching.

Many thanks! P aul