Authentication Policies
The big data platform performs user identity authentication to prevent invalid users from accessing the cluster. The cluster provides authentication capabilities in both Security Mode and Normal mode.
Security Mode
The cluster in Security Mode uses the Kerberos authentication protocol to perform security authentication. The Kerberos protocol supports mutual authentication between the client and the server. This improves security and eliminates the security risks causes by using the network to send user credentials to simulate authentication. In cluster, KrbServer service provides Kerberos authentication support.
Kerberos user object
In the Kerberos protocol, a user object is a principal. A complete user object consists of a username and domain name. In O&M management or application development scenarios, a user can connect to the cluster server only after the user is authenticated on the client. In O&M and service scenarios, Human-machine and Machine-machine users are used. The difference between Human-machine and Machine-machine users is that the passwords of Machine-machine users are randomly generated by the system.
Kerberos authentication
The Kerberos authentication supports two modes: password authentication mode and keytab authentication mode. The validity period of authentication is 24 hours by default.
- Password authentication: Identity authentication is performed by entering the correct password of a user. This mode is mainly used in O&M management scenarios where Human-machine users are used. The command is kinit Username.
- Keytab authentication: The keytab file includes the user principal and encryption information of user credentials. When the keytab file is used for authentication, the system automatically uses encrypted credential information to perform authentication and the user password does not need to be entered. This mode is mainly used in component application development scenarios where Machine-machine users are used. The keytab file can also be used in the kinit command.
Normal Mode
When the cluster is in Normal Mode, different components use different open-source authentication mechanisms, and the kinit authentication command is not supported. FusionInsight Manager (including DBService, KrbServer, and LdapServer) uses the username and password authentication mode. Table 1 lists the authentication mechanisms used by components.
|
Service |
Authentication Mode |
|---|---|
|
CDL |
No authentication |
|
ClickHouse |
Simple authentication |
|
Flume |
No authentication |
|
HBase |
|
|
HDFS |
|
|
Hive |
Simple authentication |
|
Hue |
Username and password authentication |
|
Kafka |
No authentication |
|
Loader |
|
|
Mapreduce |
|
|
Oozie |
|
|
Spark2x |
|
|
Storm |
No authentication |
|
Yarn |
|
|
ZooKeeper |
Simple authentication |
The authentication modes are described as follows:
- Simple authentication: During the connection from the client to the server, the execution user on the client (such as the OS user root or omm) is used for automatic authentication by default. MRS cluster administrators or service users are unaware of the authentication and do not need to run the kinit command to perform the authentication.
- Username and password authentication: The usernames and passwords of Human-machine users are used for authentication.
- No authentication: Any user can access the server by default.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
