Support Questions
Find answers, ask questions, and share your expertise

Security Setup Reference?

Security Setup Reference?

New Contributor

I am looking for a reference for how to setup security in HDP.  The documentation has an "overview" hdp_security_overview which speaks in generalities.

A whole set of "How-To"s like this one set_up_knox_proxy

 

I can't find documentation or a guide for what to do first, or next.

 

I need to have Kerberos Authentication for all access, including web UIs, using Corporate ActiveDirectory as the identity provider. SSO would be nice.

I want to use Ranger for Authorization (RBAC)  and Auditing.

 

This is a brand-new cluster, resorting to fresh (no carry over data, configs or anything) install since there were SO MANY security-related problems in the previous instance, and I have the option to just start over completely fresh.

I enabled Kerberos (Ambari Wizard first thing after installing HDP 3.1.4) and now the web UIs don't work with a 403-GSSAPI error, which is stupid the wizard shouldn't leave you broken.

 

I have been unable to find a guide for which things I should setup in which order. Logically, imho, it would be the root of the security how-to, but that is just a navigation construct with no content.

 

Also, there are some places in the documentation where things are marked at "optional" with no criteria on why you would or would not do that particular thing, at least not that I could find.

For example: https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.1.4/authentication-with-kerberos/content/configuri...

has "Optionally, you can configure Ambari to authenticate using Kerberos tokens via SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism)." Great to have an option, not so great to be unable to find decision criteria.

 

Do I need to setup SPNEGO if I have KNOX SSO setup?

Does KNOX SSO setup require the KNOX Proxy setup?

 

If I overlooked something, please point me to the right resource.

Thanks!