Updated on 2022-08-12 GMT+08:00

Authentication Policies

The big data platform performs user identity authentication to prevent invalid users from accessing the cluster. The cluster provides authentication capabilities in both Security Mode and Normal mode.

Security Mode

The cluster in Security Mode uses the Kerberos authentication protocol to perform security authentication. The Kerberos protocol supports mutual authentication between the client and the server. This improves security and eliminates the security risks causes by using the network to send user credentials to simulate authentication. In cluster, KrbServer service provides Kerberos authentication support.

Kerberos user object

In the Kerberos protocol, a user object is a principal. A complete user object consists of a username and domain name. In O&M management or application development scenarios, a user can connect to the cluster server only after the user is authenticated on the client. In O&M and service scenarios, Human-machine and Machine-machine users are used. The difference between Human-machine and Machine-machine users is that the passwords of Machine-machine users are randomly generated by the system.

Kerberos authentication

The Kerberos authentication supports two modes: password authentication mode and keytab authentication mode. The validity period of authentication is 24 hours by default.

  • Password authentication: Identity authentication is performed by entering the correct password of a user. This mode is mainly used in O&M management scenarios where Human-machine users are used. The command is kinit Username.
  • Keytab authentication: The keytab file includes the user principal and encryption information of user credentials. When the keytab file is used for authentication, the system automatically uses encrypted credential information to perform authentication and the user password does not need to be entered. This mode is mainly used in component application development scenarios where Machine-machine users are used. The keytab file can also be used in the kinit command.

Normal Mode

When the cluster is in Normal Mode, different components use different open-source authentication mechanisms, and the kinit authentication command is not supported. FusionInsight Manager (including DBService, KrbServer, and LdapServer) uses the username and password authentication mode. Table 1 lists the authentication mechanisms used by components.

Table 1 Component authentication modes

Service

Authentication Mode

CDL

No authentication

ClickHouse

Simple authentication

Flume

No authentication

HBase

  • WebUI: No authentication
  • Client: Simple authentication

HDFS

  • WebUI: No authentication
  • Client: Simple authentication

Hive

Simple authentication

Hue

Username and password authentication

Kafka

No authentication

Loader

  • WebUI: Username and password authentication
  • Client: No authentication

Mapreduce

  • WebUI: No authentication
  • Client: No authentication

Oozie

  • WebUI: Username and password authentication
  • Client: Simple authentication

Spark2x

  • WebUI: No authentication
  • Client: Simple authentication

Storm

No authentication

Yarn

  • WebUI: No authentication
  • Client: Simple authentication

ZooKeeper

Simple authentication

The authentication modes are described as follows:

  • Simple authentication: During the connection from the client to the server, the execution user on the client (such as the OS user root or omm) is used for automatic authentication by default. Administrators or service users are unaware of the authentication and do not need to run the kinit command to perform the authentication.
  • Username and password authentication: The usernames and passwords of Human-machine users are used for authentication.
  • No authentication: Any user can access the server by default.