Ambari Security Guide 2019 | Kerberos Security
There are many advanced options for security in Ambari. In this Apache Ambari article, we will see one of the most used Ambari Security for strong authentication. So, let’s discuss information on configuring Ambari and Hadoop for strong authentication with Kerberos in detail.
So, let’s start Ambari Security Tutorial using Kerberos.
1. What is Ambari Security?
As we have discussed earlier that Ambari and Hadoop have many advanced security options for strong authentication, they are:
- Configuring Ambari and Hadoop for Kerberos.
- For LDAP or active directory authentication.
- Configuring Ambari for non-root.
- Optional: Encrypt database and LDAP passwords.
- Set up SSL for Ambari: Optional.
- Optional: Set up two-way SSL between Ambari Server and Ambari Agents.
- Configure ciphers and protocols for Ambari Server: Optional.
So, let’s discuss information on configuring Ambari and Hadoop for strong authentication with Kerberos in detail.
2. Configuring Ambari and Hadoop for Kerberos
In order to understand Ambari and Hadoop Kerberos well, let’s break it at different points, such as:
- Kerberos Authentication Overview.
- Enabling Kerberos Security.
i. Hadoop Kerberos Authentication
The basis for secure access in Hadoop is strongly authenticating and establishing a user’s identity. Especially, for strong authentication and identity propagation for both user and services, Hadoop uses Kerberos. On defining, Kerberos is a third-party authentication mechanism, where users as well as services rely on a third party(the Kerberos server) in order to authenticate each other. The Kerberos server itself is known as the Key Distribution Center (KDC). There are 3 parts of Kerberos Security at a high level:
- A database of the users and services (known as principals)
It knows about their respective Kerberos passwords.
- An Authentication Server (AS)
It issues a Ticket Granting Ticket (TGT) and performs the initial authentication.
- A Ticket Granting Server (TGS)
TGS issues subsequent service tickets on the basis of initial TGT.
As a process, a user principal asks for authentication from the Authentication Server. Then it gives a TGT which is encrypted by using the user principal’s Kerberos password, that is known to the user principal and the AS only.
Further, by using its Kerberos password, the user principal decrypts the TGT locally. And, to get service tickets from the TGS the user principal can use the TGT until the ticket expires. However, service tickets are tickets that permit a principal to access various services.
Keytab is a special file we use each time to decrypt the TGT. Basically, it consists of the resource principal’s authentication credentials. Also, with it, a set of hosts, users, and services which is controlled by the Kerberos server is called a realm.
a. Terminologies in Ambari Security
|Key Distribution Center or KDC||KDC is the trusted source for authentication in a Kerberos-enabled environment.|
|Kerberos KDC Server||Key Distribution Center (KDC) served as the machine, or server by Kerberos KDC Server.|
|Kerberos Client||Kerberos Client is a component which authenticates any machine in the cluster, against the KDC.|
|Principal||The Principal is the unique name of a user or service which simply authenticates against the KDC.|
|Keytab||A file that involves one or more principals, as well as their keys, is Keytab.|
|Realm||the Kerberos network ”Realm” involves a KDC and a number of Clients.|
|KDC Admin Account||To create principals and generate key tabs in the KDC, an administrative account used by Ambari.|
ii. Enabling Kerberos Security
Ambari offers a wizard to help with enabling Kerberos in the cluster, whether you choose automated or manual Kerberos setup.
- Installing the JCE.
- Running the Kerberos Security Wizard.
The important point to keep in the notice for enabling Kerberos are its prerequisites:
- Java Cryptography Extension(JCE)
- Ambari Server host.
Also, ensure do not have any technical preview services or features enabled or running prior to enabling Kerberos if we are running HDP 2.5. We remove the technical preview service or we must disable the technical preview feature.
a. Installing the JCE – Ambari Security
As a prerequisite, we must deploy the Java Cryptography Extension (JCE) security policy files on the Ambari Server and on all hosts in the cluster, before enabling Kerberos in the cluster.
Moreover, make sure that we must distribute and install the JCE on all hosts in the cluster, including the Ambari Server, if we are using Oracle JDK. Also, remember to restart the Ambari Server after installing the JCE. However, Open JDK distributions come with unlimited strength JCE, hence, we do not need installation of JCE, while using Open JDK.
b. Running the Kerberos Security Wizard – Ambari Security
Ambari offers several options for enabling Kerberos, such as:
- Existing MIT KDC.
- Existing active directory.
- Manage Kerberos principals and keytabs manually.
The Kerberos Wizard prompts for information related to the KDC, the KDC admin account and the service and Ambari principals while choosing existing MIT KDC or Existing Active Directory. The services are restarted to authenticate against the KDC and also will be configured for Kerberos and the service components. Basically, it is the automated setup option in Ambari Security.
In addition, it is must to create the principals, generate and distribute the keytabs, while choosing to manage Kerberos principals and keytabs manually; including you performing the Ambari Server Kerberos setup. Ambari will not do this automatically. This is the manual setup option in Ambari Security.
So, this was all in Ambari Security. Hope you like our explanation.
3. Conclusion: Ambari Security
Hence, in this Ambari Security Tutorial, we discussed the meaning of security in Apache Ambari. Moreover, we saw configuring Ambari and Hadoop for Kerberos. Also, we discussed terminologies in Kerberos Ambari Security. Tell us about your experience of reading Apache Ambari Security. Hope it helps!