Updated on 2024-09-23 GMT+08:00

MRS Cluster User Identity Authentication Policy

The big data platform performs user identity authentication to prevent invalid users from accessing the cluster. The cluster provides authentication capabilities in both security mode and normal mode.

Security Mode

The clusters in security mode use the Kerberos authentication protocol for security authentication. The Kerberos protocol supports mutual authentication between clients and servers. This eliminates the risks incurred by sending user credentials over the network for simulated authentication. In clusters, KrbServer provides the Kerberos authentication support.

Kerberos user object

In the Kerberos protocol, each user object is a principal. A complete principal consists of username and domain name. In O&M or application development scenarios, the user identity must be verified before a client connects to a server. Users for O&M and service operations are classified into human-machine and machine-machine users. The password of human-machine users is manually configured, while the password of machine-machine users is generated by the system randomly.

Kerberos authentication

Kerberos supports password and keytab authentication. The validity period of authentication is 24 hours by default.

  • Password authentication: User identity is verified by entering the correct password. This mode mainly used in O&M scenarios where human-machine users are used. The configuration command is kinit Username.
  • Keytab authentication: Keytab files contain users' principal and encrypted credential information. When keytab files are used for authentication, the system automatically uses encrypted credential information to perform authentication and the user password does not need to be entered. This mode is mainly used in component application development scenarios where machine-machine users are used. Keytab authentication can also be configured using the kinit command.

Normal Mode

Different components in a normal cluster use the native open-source authentication mode and do not support the kinit authentication command. FusionInsight Manager (including DBService, KrbServer, and LdapServer) uses the username and password for authentication. Table 1 lists the authentication modes used by components.

Table 1 Component authentication modes

Service

Authentication Mode

IoTDB

Simple authentication

CDL

No authentication

ClickHouse

Simple authentication

Flume

No authentication

HBase

  • Web UI: No authentication
  • Client: simple authentication

HDFS

  • Web UI: no authentication
  • Client: simple authentication

HetuEngine

  • Web UI: no authentication
  • Client: no authentication

Hive

Simple authentication

Hue

Username and password authentication

Kafka

No authentication

Loader

  • Web UI: username and password authentication
  • Client: no authentication

MapReduce

  • Web UI: no authentication
  • Client: no authentication

Oozie

  • Web UI: username and password authentication
  • Client: simple authentication

Spark2x

  • Web UI: no authentication
  • Client: simple authentication

Storm

No authentication

YARN

  • Web UI: no authentication
  • Client: simple authentication

ZooKeeper

Simple authentication

The authentication modes are as follows:

  • Simple authentication: When the client connects to the server, the client automatically authenticates the user (for example, the OS user root or omm) by default. The authentication is imperceptible to the administrator or service user, which does not require kinit.
  • Username and password authentication: Use the username and password of human-machine users in the cluster for authentication.
  • No authentication: Any user can access the server by default.