Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

kerberos authentication without LDAP/Active Directory.

avatar
Rising Star

Is it possible to implement kerberization in Ambari cluster without LDAP/Active Directory.

We do not have access to Active Directory thus can not use the same. And if we implement kerberos without Active Directory then what are all benefits which I enjoy later.

1 ACCEPTED SOLUTION

avatar

@Pardeep Gorla

Absolutely! You can use an MIT KDC to provide Kerberos authentication. There are a couple of ways to do this. FreeIPA is a good tool that combines LDAP and KDC management for RedHat (CentOS) systems. This will give you the ability to also manage user sync for Ambari and Ranger with the OpenLDAP managed by FreeIPA. You will need to use the "Manually Manage Kerberos Principals" option when enabling Kerberos on the cluster for now. FreeIPA integration is on the roadmap for Ambari, but is not available yet as of Ambari 2.2.2.

View solution in original post

7 REPLIES 7

avatar
Super Guru

@Pardeep Gorla

yes, you can have kerberos installed/adopted without LDAP.

Using AD/LDAP you can have centralized user management and also Level 1 of authentication security for cluster.

kerberos is considered for Level2 security for the cluster.

avatar

@Pardeep Gorla

Absolutely! You can use an MIT KDC to provide Kerberos authentication. There are a couple of ways to do this. FreeIPA is a good tool that combines LDAP and KDC management for RedHat (CentOS) systems. This will give you the ability to also manage user sync for Ambari and Ranger with the OpenLDAP managed by FreeIPA. You will need to use the "Manually Manage Kerberos Principals" option when enabling Kerberos on the cluster for now. FreeIPA integration is on the roadmap for Ambari, but is not available yet as of Ambari 2.2.2.

avatar
Super Collaborator

avatar

Hi @Pardeep Gorla

To re-iterate the great answers above - yes, you can enable Kerberos without AD/LDAP - its called MIT Kerberos. Please follow the instructions here

You're creating a new MIT Kerberos Instance:

https://docs.hortonworks.com/HDPDocuments/Ambari-2.2.2.0/bk_Ambari_Security_Guide/content/_optional_...

You're using an existing MIT Kerberos Instance:

https://docs.hortonworks.com/HDPDocuments/Ambari-2.2.2.0/bk_Ambari_Security_Guide/content/_use_an_ex...

avatar
Rising Star

@emaxwell @Sagar Shimpi @pankaj singh @Ryan Cicak

Thanks for your answers. I have few queries it would be great if you can clarify my doubt.

As per you answers it is clear that we can configure our Ambari server without LDAP/Active Directory. And as per answers I need to use MIT KDC or Free IPA services.

We are using AWS cluster, do I need to follow any other specific process for implementation because we are always using ppk file for login because of firewall restriction or settings.

After these steps what should be my next step as I mentioned earlier we are using ppk file for login.

Those ppk file will work correctly after this or do I need to configure something else ??

What would be the backup plan if something goes wrong, any suggestions ??

avatar

Hi @Pardeep Gorla

I have not configured freeipa - but have configured MIT KDC, so I'll refer to MIT KDC.

Are you referring to logging into an edge node with a ppk file in AWS? Once you're logged into the edge node, you'll need to run kinit (kdc user) - and provide an additional password, which will generate a Kerberos ticket. Once you have the Kerberos ticket, you'll be able to access HDFS (and other services integrated with Kerberos). If something goes wrong in the automated setup, you can simply disable Kerberos -> where the services will shutdown, remove their Kerberos permissions and then start back up.

avatar
Rising Star
@Ryan Cicak

Thanks for your reply. Still I need your opinion and help.

I want to go step by step and suppose I only want to install MIT KDC.

1. Install MIT KDC on all 3 nodes as per the hortonworks link you given in earlier answer.

Question: Is there any impact on login on 3 nodes, does earlier ppk files work in similar way for all different users including ec2user ?

Question: We have few more tools and applications (like Informatica) running on same server. Does it require any changes ?

Question: Any impact on Tools connection running on other server/cluster. Does any changes required any where?

What would happen in worst scenario and how to recover from that.