Samet - Using Knox would be ideal. It could be approached in 2 ways:
a) SSO thanks to Knox support for it.
With this users continue to auth as they always have. Less integration points are needed. No additional authentication points. Less to maintain. Less to break b) Alternatively, configure your directory system against 2FA, such that LDAP logins use 2-factor.
Example: Instead of a standard password, they enter "password + pin from 2f device". With this Knox could still be the single point, but you could support any other services that have LDAP support. This also means nothing special/extra is needed in Hadoop. Users use the system as they use other systems. Apache Knox covers most of the services you mentioned:
SSO:
SAML 2.0 for SSO (as of HDP 2.5). Nearly all SSO systems support SAML. Web UIs which Knox provides SSO for (as of HDP 2.5):
Ambari Ranger Services which Knox provides (as of HDP 2.5):
YARN WebHDFS WebHCat/Templeton Oozie HBase (Stargate REST API) Hive (via WebHCat) Hive (via JDBC) Ambari API Ranger API For direct access to the cluster, use bastion hosts:
Typically SSH or Remote Desktop. Authentication to those systems is configured for SSO
Many options here. Typically SSSD, Centrify, ... These systems can automatically get the kerberos token on behalf of the user. Then the user would use services as usual. An alternative is to use VPN or SSH-tunnel with 2-factor to gain network access to the cluster. Then the user would need a kerberos token, but the 2-factor level of access is provided at the network layer. Hue:
Appears to support SAML for SSO. Could use the LDAP method mentioned earlier. Keep in mind that Hue is not an Apache-community project. It's not maintained by Hortonworks or the open community. Documentation:
Knox SSO (HDP 2.5) Knox supported Hadoop Services (HDP 2.5) Hue support for SAML --
Sean Roberts
@seano
... View more
