Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

When is the best time to enable Kerberos

When is the best time to enable Kerberos

Contributor

I am trying to understand when the best time would be to enable Kerberos on a production platform to avoid any potential issue? After integrating Web-UI with LDAP or it is safe to Kerberize cluster and then integrate Web-UI like Ambari, Knox, Nifi, Ranger, Zeppelin and Hive with AD and enable fine grained authorization? Does it make any difference from the technical point of view? What about installing any new service or upgrading different services? Is it safer to disable Kerberos and install new service/upgrade current services and enable Kerberos again, or it is safe to upgrade current services on a Kerberized cluster?

8 REPLIES 8

Re: When is the best time to enable Kerberos

Mentor

@Ali

If you are keen in having a secure hadoop cluster then you can't do that without kerberos ! Its recommended that before your deliver a production cluster it should be kerberized.

Every cluster user should be able to positively identify oneself as the one they say they are. In HDP whenever you add a new component a principal and keytab (headless or service) will be generated on the host the component is installed by default in

 /etc/security/keytabs/xxx

If you want to authenticate using AD then here is a good document AD&Kerberos .

You don't need to diable kerberos when adding a new service kerberos in the background will generate the appropriate Principal and keytab as earlier stated.

Apart from kerberos you should also deploy SSL for the Web UI components and a good practice with knox.

Hope that helps

Re: When is the best time to enable Kerberos

Contributor

@Geoffrey Shelton Okot What about the order of Kerberization? Which one is safer? Kerberizing at the final step or it doesn't matter?

Re: When is the best time to enable Kerberos

Mentor

@Ali

Usually after deploying all the HDP cluster components nd testing that they function normally then enabling Ranger a very important component for authentication and authorization and maybe Atlas if needed then you can Kerberize your cluter having said that ,you should also know that even after the initial kerberization whatever component you will add later on Kerberos will automatically generate the principal and keytabs behind the scenes.

Hope that helps

Re: When is the best time to enable Kerberos

Contributor

So it is not required to disable Kerberos, upgrade HDP or install new service and enable Kerberos again?

Re: When is the best time to enable Kerberos

@AliServices uses Windows Integrated Authentication, which includes the Kerberos and NTLM protocols for network authentication. Additionally, Windows Integrated Authentication includes the negotiate security header, which prompts the client to select Kerberos or NTLM for authentication. The client can access reports which have the appropriate permissions by using Kerberos for authentication. Servers that use Kerberos authentication can impersonate those clients and use their security context to access network resources.

You can configure Reporting Services to use both Kerberos and NTLM authentication; however this may lead to a failure to authenticate. With negotiate, if Kerberos cannot be used, the authentication method will default to NTLM. When negotiate is enabled, the Kerberos protocol is always used except when:

  • Clients/servers that are involved in the authentication process cannot use Kerberos.
  • The client does not provide the information necessary to use Kerberos.

you may also check this:https://blogs.technet.microsoft.com/rob/2011/11/22/enabling-kerberos-authentication-for-reporting-services/

Re: When is the best time to enable Kerberos

Contributor

@Manish Kumar Yadav Sorry I got confused. What is the relation of Windows Integrated Authentication with the order of Kerberisation?

Re: When is the best time to enable Kerberos

Mentor

@Ali

This is a duplicate I already answered you in another posting.

Highlighted

Re: When is the best time to enable Kerberos

Explorer


@Geoffrey Shelton Okot

@Jay Kumar SenSharma

When I am trying to enable the Kerberos after all the back end setup, i am getting warning as "YARN log and local dir will be deleted and ResourceManager state will be formatted as part of Enabling/Disabling Kerberos. " what does it mean local dir and what all will be deleted and how does it related because YARN log will be deletion is acceptable but why local dir?

Can you please provide some detailed clarification on this?


106963-1551948447303.png

Don't have an account?
Coming from Hortonworks? Activate your account here