KrbServer and LdapServer Principles
Overview
To manage the access control permissions on data and resources in a cluster, it is recommended that the cluster in security mode be installed. In security mode, a client application must be authenticated and a secure session must be established before the application accesses any resource in the cluster. MRS uses KrbServer to provide Kerberos authentication for all components, implementing a reliable authentication mechanism.
LdapServer supports Lightweight Directory Access Protocol (LDAP) and provides the capability of storing user and user group data for Kerberos authentication.
Architecture
The security authentication function for user login depends on Kerberos and LDAP.
Figure 1 includes three scenarios:
- Logging in to the MRS Manager Web UI
The authentication architecture includes steps 1, 2, 3, and 4.
- Logging in to a component web UI
The authentication architecture includes steps 5, 6, 7, and 8.
- Accessing between components
|
Connection Name |
Description |
|---|---|
|
Manager |
Cluster Manager |
|
Manager WS |
WebBrowser |
|
Kerberos1 |
KrbServer (management plane) service deployed in MRS Manager, that is, OMS Kerberos |
|
Kerberos2 |
KrbServer (service plane) service deployed in the cluster |
|
LDAP1 |
LdapServer (management plane) service deployed in MRS Manager, that is, OMS LDAP |
|
LDAP2 |
LdapServer (service plane) service deployed in the cluster |
Data operation mode of Kerberos1 in LDAP: The active and standby instances of LDAP1 and the two standby instances of LDAP2 can be accessed in load balancing mode. Data write operations can be performed only in the active LDAP1 instance. Data read operations can be performed in LDAP1 or LDAP2.
Data operation mode of Kerberos2 in LDAP: Data read operations can be performed in LDAP1 and LDAP2. Data write operations can be performed only in the active LDAP1 instance.
Principle
Kerberos authentication
Kerberos is a security authentication system designed with the client/server architecture that employs encryption technologies such as DES and AES. The system supports mutual authentication, that is, the client and server can authenticate identity of each other. Kerberos prevents interception and replay attacks, and protects data integrity. It manages keys by using a symmetric key mechanism.
Kerberos authentication consists of the following roles:
- Client
- Server
- Key Distribution Center (KDC): consists of the Authentication Server (AS) and Ticket Granting Server (TGS).
- AS verifies the client account and password and generates a Ticket Granting Ticket (TGT).
- TGS generates Service Tickets (STs) for accessing services based on TGTs.
LDAP data read and write
LDAP serves as a user data storage center and stores user information (such as passwords and supplementary information) in the cluster. Users need to access LDAP to operate user data or perform Kerberos authentication.
LDAP data synchronization
- OMS LDAP data synchronization before cluster installation
Figure 4 OMS LDAP data synchronization
Data synchronization direction before cluster installation: Data is synchronized from the active OMS LDAP to the standby OMS LDAP.
- LDAP data synchronization after cluster installation
Figure 5 LDAP data synchronization
Data synchronization direction after cluster installation: Data is synchronized from the active OMS LDAP to the standby OMS LDAP, standby component LDAP, and standby component LDAP.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
