MRS Clusters Have Kerberos Enabled
Rule Details
Parameter |
Description |
---|---|
Rule Name |
mrs-cluster-kerberos-enabled |
Identifier |
MRS Clusters Have Kerberos Enabled |
Description |
If Kerberos is not enabled for an MRS cluster, this cluster is non-compliant. |
Tag |
mrs |
Trigger Type |
Configuration change |
Filter Type |
mrs.mrs |
Rule Parameters |
None |
Application Scenarios
The Hadoop community version provides two authentication modes: Kerberos authentication (security mode) and Simple authentication (normal mode). When you create a cluster, you can configure whether to enable Kerberos authentication for MRS, which cannot be changed after the cluster is created. For details, see Kerberos Authentication for MRS Clusters.
- MRS clusters in security mode use Kerberos for security authentication. Kerberos supports mutual authentication between clients and servers. This eliminates the risks incurred by sending user credentials over the network for simulated authentication and improves security. In clusters, KrbServer provides the Kerberos authentication support.
- In normal clusters, MRS components use a native open source authentication mechanism, which is typically Simple authentication. There is no authentication or authorization control for cluster resource management APIs and data control APIs on the server. This means that they are vulnerable to attacks.
Solution
You cannot enable or disable the Kerberos service after the MRS cluster is created. To change Kerberos authentication status, you need to create an MRS cluster, enable or disable the Kerberos service, and migrate cluster data from the original one to the new one. For details, see How Do I Enable or Disable Kerberos Authentication for an Existing MRS Cluster?
Rule Logic
- If Kerberos authentication is not enabled for an MRS cluster, this cluster is non-compliant.
- If Kerberos authentication is enabled for an MRS cluster, this cluster is compliant.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot