Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

kerberos authentication without LDAP/Active Directory.

Labels:
avatar
author-rank pardeepgorla
Rising Star

Created ‎06-08-2016 03:02 PM

Is it possible to implement kerberization in Ambari cluster without LDAP/Active Directory.

We do not have access to Active Directory thus can not use the same. And if we implement kerberos without Active Directory then what are all benefits which I enjoy later.

8,172 Views
1 ACCEPTED SOLUTION

avatar
author-rank emaxwell author-rank
Guru

Created ‎06-08-2016 03:09 PM

@Pardeep Gorla

Absolutely! You can use an MIT KDC to provide Kerberos authentication. There are a couple of ways to do this. FreeIPA is a good tool that combines LDAP and KDC management for RedHat (CentOS) systems. This will give you the ability to also manage user sync for Ambari and Ranger with the OpenLDAP managed by FreeIPA. You will need to use the "Manually Manage Kerberos Principals" option when enabling Kerberos on the cluster for now. FreeIPA integration is on the roadmap for Ambari, but is not available yet as of Ambari 2.2.2.

View solution in original post

5,553 Views
7 REPLIES 7

avatar
author-rank sshimpi
Super Guru

Created ‎06-08-2016 03:09 PM

@Pardeep Gorla

yes, you can have kerberos installed/adopted without LDAP.

Using AD/LDAP you can have centralized user management and also Level 1 of authentication security for cluster.

kerberos is considered for Level2 security for the cluster.

5,553 Views

avatar
author-rank emaxwell author-rank
Guru

Created ‎06-08-2016 03:09 PM

@Pardeep Gorla

Absolutely! You can use an MIT KDC to provide Kerberos authentication. There are a couple of ways to do this. FreeIPA is a good tool that combines LDAP and KDC management for RedHat (CentOS) systems. This will give you the ability to also manage user sync for Ambari and Ranger with the OpenLDAP managed by FreeIPA. You will need to use the "Manually Manage Kerberos Principals" option when enabling Kerberos on the cluster for now. FreeIPA integration is on the roadmap for Ambari, but is not available yet as of Ambari 2.2.2.

5,554 Views

avatar
author-rank pankaj_singh
Super Collaborator

Created ‎06-08-2016 03:10 PM

You can use MIT KDC - Have a look at https://github.com/hortonworks-gallery/ambari-freeipa-service

5,553 Views

avatar
author-rank RyanCicak author-rank
Guru

Created ‎06-21-2016 06:55 PM

Hi @Pardeep Gorla

To re-iterate the great answers above - yes, you can enable Kerberos without AD/LDAP - its called MIT Kerberos. Please follow the instructions here

You're creating a new MIT Kerberos Instance:

https://docs.hortonworks.com/HDPDocuments/Ambari-2.2.2.0/bk_Ambari_Security_Guide/content/_optional_...

You're using an existing MIT Kerberos Instance:

https://docs.hortonworks.com/HDPDocuments/Ambari-2.2.2.0/bk_Ambari_Security_Guide/content/_use_an_ex...

5,553 Views

avatar
author-rank pardeepgorla
Rising Star

Created ‎07-10-2016 08:19 AM

@emaxwell @Sagar Shimpi @pankaj singh @Ryan Cicak

Thanks for your answers. I have few queries it would be great if you can clarify my doubt.

As per you answers it is clear that we can configure our Ambari server without LDAP/Active Directory. And as per answers I need to use MIT KDC or Free IPA services.

We are using AWS cluster, do I need to follow any other specific process for implementation because we are always using ppk file for login because of firewall restriction or settings.

After these steps what should be my next step as I mentioned earlier we are using ppk file for login.

Those ppk file will work correctly after this or do I need to configure something else ??

What would be the backup plan if something goes wrong, any suggestions ??

5,553 Views
0 Kudos

avatar
author-rank RyanCicak author-rank
Guru

Created ‎07-11-2016 03:45 PM

Hi @Pardeep Gorla

I have not configured freeipa - but have configured MIT KDC, so I'll refer to MIT KDC.

Are you referring to logging into an edge node with a ppk file in AWS? Once you're logged into the edge node, you'll need to run kinit (kdc user) - and provide an additional password, which will generate a Kerberos ticket. Once you have the Kerberos ticket, you'll be able to access HDFS (and other services integrated with Kerberos). If something goes wrong in the automated setup, you can simply disable Kerberos -> where the services will shutdown, remove their Kerberos permissions and then start back up.

5,553 Views
0 Kudos

avatar
author-rank pardeepgorla
Rising Star

Created ‎07-14-2016 12:44 PM

@Ryan Cicak

Thanks for your reply. Still I need your opinion and help.

I want to go step by step and suppose I only want to install MIT KDC.

1. Install MIT KDC on all 3 nodes as per the hortonworks link you given in earlier answer.

Question: Is there any impact on login on 3 nodes, does earlier ppk files work in similar way for all different users including ec2user ?

Question: We have few more tools and applications (like Informatica) running on same server. Does it require any changes ?

Question: Any impact on Tools connection running on other server/cluster. Does any changes required any where?

What would happen in worst scenario and how to recover from that.

5,553 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements