Updated on 2024-09-23 GMT+08:00

Kerberos Authentication for MRS Clusters

The Hadoop community version has two authentication modes: Kerberos authentication for security and Simple authentication for regular use. During cluster setup, you can choose to enable or disable Kerberos authentication. Once the cluster is created, it cannot be modified.

Security Mode (Kerberos Authentication Enabled)

The MRS clusters in security mode use the Kerberos authentication protocol for security authentication. The Kerberos protocol supports mutual authentication between clients and servers. This eliminates the risks incurred by sending user credentials over the network for simulated authentication. In clusters, KrbServer provides the Kerberos authentication support.

Kerberos user object

In the Kerberos protocol, each user object is a principal. A complete principal consists of username and domain name. In O&M or application development scenarios, the user identity must be verified before a client connects to a server. Users for O&M and service operations are classified into human-machine and machine-machine users. The password of human-machine users is manually configured, while the password of machine-machine users is generated by the system randomly.

Kerberos authentication

Kerberos authentication supports two authentication modes: password authentication and keytab authentication. The default authentication validity period is 24 hours.

  • Password authentication: User identity is verified by entering the correct password. This mode mainly used in O&M scenarios where human-machine users are used. The client command is kinit Username.
  • Keytab authentication: Keytab files contain users' principal and encrypted credential information. When keytab files are used for authentication, the system automatically uses encrypted credential information to perform authentication and the user password does not need to be entered. This mode is mainly used in component application development scenarios where machine-machine users are used. Keytab authentication can also be configured using the kinit command.

Common mode (Kerberos Authentication Disabled)

In normal clusters, MRS components use a native open source authentication mechanism, which is typically Simple authentication. If Simple authentication is used, authentication is automatically performed by a client user (for example, user root) by default when a client connects to a server. The authentication is imperceptible to the administrator or service user. In addition, when being executed, the client may even pretend to be any user (including superuser) by injecting UserGroupInformation. Cluster resource management and data control APIs are not authenticated on the server and are easily exploited and attacked by hackers.

It is best to use this for single-user scenarios in normal clusters, but make sure to tightly control network access permissions to keep the cluster secure.

  • Deploy service applications on ECSs in the same VPC and subnet to avoid accessing the MRS cluster through the external network.
  • Configure security group rules to strictly control the access scope. Do not configure access rules that allow Any or 0.0.0.0 for the inbound direction of MRS cluster ports.