Kerberos security
When creating a cluster via Cloudbreak, you can optionally enable Kerberos security in that cluster and provide your Kerberos configuration details. Cloudbreak will automatically extend your blueprint configuration with the defined properties. Refer to this section if you would like to use Kerberos security with Cloudbreak-managed clusters.
Kerberos overview
Kerberos is a third party authentication mechanism, in which users and services that users wish to access Hadoop rely on a third party - the Kerberos server - to authenticate each to the other.
The Kerberos server itself is known as the Key Distribution Center, or KDC. At a high level, the KDC has three parts:
- A database of the users and services (known as principals) and their respective Kerberos passwords
- An Authentication Server (AS) which performs the initial authentication and issues a Ticket Granting Ticket (TGT)
- A Ticket Granting Server (TGS) that issues subsequent service tickets based on the initial TGT
A user principal requests authentication from the AS. The AS returns a TGT that is encrypted using the user principal’s Kerberos password, which is known only to the user principal and the AS. The user principal decrypts the TGT locally using its Kerberos password, and from that point forward, until the ticket expires, the user principal can use the TGT to get service tickets from the TGS. Service tickets are what allow the principal to access various services.
Since cluster resources (hosts or services) cannot provide a password each time to decrypt the TGT, they use a special file, called a keytab, which contains the resource principal authentication credentials. The set of hosts, users, and services over which the Kerberos server has control is called a realm.
The following table explains the Kerberos related terminology:
| Term | Description |
|---|---|
| Key Distribution Center, or KDC | The trusted source for authentication in a Kerberos-enabled environment. |
| Kerberos KDC Server | The machine, or server, that serves as the Key Distribution Center (KDC). |
| Kerberos Client | Any machine in the cluster that authenticates against the KDC. |
| Principal | The unique name of a user or service that authenticates against the KDC. |
| Keytab | A file that includes one or more principals and their keys. |
| Realm | The Kerberos network that includes a KDC and a number of clients. |
Enabling Kerberos
The option to enable Kerberos is available in the advanced Security section of the create cluster wizard. You have the following options for enabling Kerberos in a Cloudbreak managed cluster:
| Option | Description | Environment |
|---|---|---|
| Use existing KDC | Allows you to leverage an existing MIT KDC or Active Directory for enabling Kerberos with the cluster. You can either provide the required parameters and Cloudbreak will generate the descriptors on your behalf, or provide the exact Ambari Kerberos descriptors to be injected into your blueprint in JSON format. | Suitable for production |
| Use test KDC | Installs a new MIT KDC on the master node and configures the cluster to leverage that KDC. | Suitable for evaluation and testing only, not suitable for production |