I can't find documentation or a guide for what to do first, or next.
I need to have Kerberos Authentication for all access, including web UIs, using Corporate ActiveDirectory as the identity provider. SSO would be nice.
I want to use Ranger for Authorization (RBAC) and Auditing.
This is a brand-new cluster, resorting to fresh (no carry over data, configs or anything) install since there were SO MANY security-related problems in the previous instance, and I have the option to just start over completely fresh.
I enabled Kerberos (Ambari Wizard first thing after installing HDP 3.1.4) and now the web UIs don't work with a 403-GSSAPI error, which is stupid the wizard shouldn't leave you broken.
I have been unable to find a guide for which things I should setup in which order. Logically, imho, it would be the root of the security how-to, but that is just a navigation construct with no content.
Also, there are some places in the documentation where things are marked at "optional" with no criteria on why you would or would not do that particular thing, at least not that I could find.
has "Optionally, you can configure Ambari to authenticate using Kerberos tokens via SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism)." Great to have an option, not so great to be unable to find decision criteria.