Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Why can't we use LDAP for Hadoop authentication?

avatar
author-rank tim_david1954
Rising Star

Created on ‎09-12-2016 03:01 PM - edited ‎09-16-2022 03:38 AM

We all know that Hadoop needs Kerberos to be fully secure. LDAP is an authentication solution used with several Hadoop tools (Ambari, Nifi, Ambari, etc). Why we need Kerberos in addition of LDAP ?

5,150 Views
1 ACCEPTED SOLUTION

avatar
author-rank amcbarnett
Guru

Created ‎09-12-2016 03:36 PM

You can use LDAP in ADDITION to Kerberos. LDAP is the authentication authority. Kerberos is the ticketing system. LDAP is like the DMV giving you your driver's licence. Kerberos is your boarding pass to get on the plane. Kerberos can be enabled with AD, FreeIPA as your LDAP in HAdoop. Ambari, Nifi, Ranger will authenticate with those LDAPs. The only exception is Hive where when Kerberos is enabled it replaces LDAP authentication.

View solution in original post

3,586 Views
3 REPLIES 3

avatar
author-rank amcbarnett
Guru

Created on ‎09-12-2016 03:05 PM - edited ‎08-18-2019 06:19 AM

Here is your answer: You can easily spoof your Hadoop cluster with a change of a simple environment variable.

7536-1-spoof-security.gif

See also

https://community.hortonworks.com/questions/2982/kerberos-adldap-and-ranger.html

3,586 Views

avatar
author-rank tim_david1954
Rising Star

Created ‎09-12-2016 03:14 PM

@Ancil McBarnett

Thanks, I am already aware of this. My question is more on why we can not use LDAP ? is it because Hadoop doesn't support it and we can some day implement and LDAP integration ? or because LDAP is lacking a feature, hence can not and will never replace Kerberos ?

3,586 Views
0 Kudos

avatar
author-rank amcbarnett
Guru

Created ‎09-12-2016 03:36 PM

You can use LDAP in ADDITION to Kerberos. LDAP is the authentication authority. Kerberos is the ticketing system. LDAP is like the DMV giving you your driver's licence. Kerberos is your boarding pass to get on the plane. Kerberos can be enabled with AD, FreeIPA as your LDAP in HAdoop. Ambari, Nifi, Ranger will authenticate with those LDAPs. The only exception is Hive where when Kerberos is enabled it replaces LDAP authentication.

3,587 Views
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements