Identity Authentication and Access Control

Identity Authentication

MRS supports security protocol Kerberos. FusionInsight MRS employs LDAP for the account management system and performs security authentication on account information via Kerberos.

For details about the Kerberos security authentication mechanism, see Security Authentication Principles and Mechanisms.

Access Control

MRS provides two access control models: role-based access control and policy-based access control. For details, see Right Model.

• Role-based Access Control

  By employing a unified user- and role-based authentication system and complying with the account-/role-based access control (RBAC) model, MRS implements role-based permission management and batch user authorization management. It also provides the single sign-on (SSO) capability to offer unified management and authentication for FusionInsight MRS system users and component users. For details about the mechanism, see Right Mechanism.

• Policy-based Access Control
  • Ranger authentication

    MRS supports Ranger authentication. For an MRS cluster in security mode, Ranger authentication is enabled by default. For a normal cluster with the Ranger service installed, Ranger supports permission control on component resources based on OS users.

    For details about Ranger authentication policies, see Permission Verification Policies.

  • Fine-grained authentication for OBS storage-compute decoupled clusters

    If you want to perform fine-grained permission control on OBS resources in OBS storage-compute decoupled clusters, MRS provides you with a fine-grained permission control solution based on the IAM agency.

    For details, see Configuring Fine-Grained Permissions for MRS Multi-User Access to OBS.