Authentication Policies
The big data platform performs user identity authentication to prevent invalid users from accessing the cluster. The cluster provides authentication capabilities in both security mode and normal mode.
Security Mode
The clusters in security mode use the Kerberos authentication protocol for security authentication. The Kerberos protocol supports mutual authentication between clients and servers. This eliminates the risks incurred by sending user credentials over the network for simulated authentication. In clusters, KrbServer provides the Kerberos authentication support.
Kerberos user object
In the Kerberos protocol, each user object is a principal. A complete principal consists of username and domain name. In O&M or application development scenarios, the user identity must be verified before a client connects to a server. Users for O&M and service operations are classified into human-machine and machine-machine users. The password of human-machine users is manually configured, while the password of machine-machine users is generated by the system randomly.
Kerberos authentication
Kerberos supports password and keytab authentication. The validity period of authentication is 24 hours by default.
- Password authentication: User identity is verified by entering the correct password. This mode mainly used in O&M scenarios where human-machine users are used. The configuration command is kinit Username.
- Keytab authentication: Keytab files contain users' principal and encrypted credential information. When keytab files are used for authentication, the system automatically uses encrypted credential information to perform authentication and the user password does not need to be entered. This mode is mainly used in component application development scenarios where machine-machine users are used. Keytab authentication can also be configured using the kinit command.
Normal Mode
Different components in a normal cluster use the native open-source authentication mode and do not support the kinit authentication command. FusionInsight Manager (including DBService, KrbServer, and LdapServer) uses the username and password for authentication. Table 1 lists the authentication modes used by components.
|
Service |
Authentication Mode |
|---|---|
|
IoTDB |
Simple authentication |
|
CDL |
No authentication |
|
ClickHouse |
Simple authentication |
|
Flume |
No authentication |
|
HBase |
|
|
HDFS |
|
|
HetuEngine |
|
|
Hive |
Simple authentication |
|
Hue |
Username and password authentication |
|
Kafka |
No authentication |
|
Loader |
|
|
MapReduce |
|
|
Oozie |
|
|
Spark2x |
|
|
Storm |
No authentication |
|
YARN |
|
|
ZooKeeper |
Simple authentication |
The authentication modes are as follows:
- Simple authentication: When the client connects to the server, the client automatically authenticates the user (for example, the OS user root or omm) by default. The authentication is imperceptible to the administrator or service user, which does not require kinit.
- Username and password authentication: Use the username and password of human-machine users in the cluster for authentication.
- No authentication: Any user can access the server by default.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
