MRS Clusters Have Kerberos Enabled

Rule Details

Application Scenarios

The Hadoop community version provides two authentication modes: Kerberos authentication (security mode) and Simple authentication (normal mode). When you create a cluster, you can configure whether to enable Kerberos authentication for MRS, which cannot be changed after the cluster is created. For details, see Kerberos Authentication for MRS Clusters.

• MRS clusters in security mode use Kerberos for security authentication. Kerberos supports mutual authentication between clients and servers. This eliminates the risks incurred by sending user credentials over the network for simulated authentication and improves security. In clusters, KrbServer provides the Kerberos authentication support.
• In normal clusters, MRS components use a native open source authentication mechanism, which is typically Simple authentication. There is no authentication or authorization control for cluster resource management APIs and data control APIs on the server. This means that they are vulnerable to attacks.

Solution

You cannot enable or disable the Kerberos service after the MRS cluster is created. To change Kerberos authentication status, you need to create an MRS cluster, enable or disable the Kerberos service, and migrate cluster data from the original one to the new one. For details, see How Do I Enable or Disable Kerberos Authentication for an Existing MRS Cluster?

Rule Logic

• If Kerberos authentication is not enabled for an MRS cluster, this cluster is non-compliant.
• If Kerberos authentication is enabled for an MRS cluster, this cluster is compliant.