Authentication and security with hadoop

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Authentication and security with hadoop

ravi teja-2
Hi Community,

We wanted to have authentication on hadoop, means want to make sure the user is what he claims to be and doesn't proxy another users using env variables.

From many links , I see that the default choice is kerberos with hadoop.
And as far i understand ,I see that ranger is more like a central place to manage the acls on directories and it doesn't involve in authentication.

And the information online is pretty old, could get any latest information on the security auth.

I wanted to know if there is other way than kerberos for providing this authentication layer?
Because kerberos had many operation problems while using with HDFS and now we no longer use it.

Thanks in advance,
Ravi
Reply | Threaded
Open this post in threaded view
|

Re: Authentication and security with hadoop

Arpit Agarwal

Hi Ravi,

 

Kerberos is the only supported mechanism for strong identity. Most Hadoop access controls are easily bypassed without Kerberos authentication.

 

Kerberos setup can be difficult. Most Kerberos complications arise with multi-homed hosts or if DNS/reverse DNS is broken. If you run into specific Kerberos operation issues you can ask for answers on this DL.

 

Apache Hadoop 2.7.3 will have improved documentation on Kerberos setup. Meanwhile you can find the updated docs here:

https://github.com/apache/hadoop/blob/branch-2.7.3/hadoop-common-project/hadoop-common/src/site/markdown/SecureMode.md#Multihoming

 

 

From: ravi teja <[hidden email]>
Date: Wednesday, July 13, 2016 at 5:46 AM
To: "[hidden email]" <[hidden email]>
Subject: Authentication and security with hadoop

 

Hi Community,

 

We wanted to have authentication on hadoop, means want to make sure the user is what he claims to be and doesn't proxy another users using env variables.

 

From many links , I see that the default choice is kerberos with hadoop.

And as far i understand ,I see that ranger is more like a central place to manage the acls on directories and it doesn't involve in authentication.

 

And the information online is pretty old, could get any latest information on the security auth.

 

I wanted to know if there is other way than kerberos for providing this authentication layer?

Because kerberos had many operation problems while using with HDFS and now we no longer use it.

 

Thanks in advance,

Ravi

Reply | Threaded
Open this post in threaded view
|

Re: Authentication and security with hadoop

ravi teja-2
Thanks for the clarification Arpit.
Will check the docs.

Ravi

On Thu, Jul 14, 2016 at 1:44 AM, Arpit Agarwal <[hidden email]> wrote:

Hi Ravi,

 

Kerberos is the only supported mechanism for strong identity. Most Hadoop access controls are easily bypassed without Kerberos authentication.

 

Kerberos setup can be difficult. Most Kerberos complications arise with multi-homed hosts or if DNS/reverse DNS is broken. If you run into specific Kerberos operation issues you can ask for answers on this DL.

 

Apache Hadoop 2.7.3 will have improved documentation on Kerberos setup. Meanwhile you can find the updated docs here:

https://github.com/apache/hadoop/blob/branch-2.7.3/hadoop-common-project/hadoop-common/src/site/markdown/SecureMode.md#Multihoming

 

 

From: ravi teja <[hidden email]>
Date: Wednesday, July 13, 2016 at 5:46 AM
To: "[hidden email]" <[hidden email]>
Subject: Authentication and security with hadoop

 

Hi Community,

 

We wanted to have authentication on hadoop, means want to make sure the user is what he claims to be and doesn't proxy another users using env variables.

 

From many links , I see that the default choice is kerberos with hadoop.

And as far i understand ,I see that ranger is more like a central place to manage the acls on directories and it doesn't involve in authentication.

 

And the information online is pretty old, could get any latest information on the security auth.

 

I wanted to know if there is other way than kerberos for providing this authentication layer?

Because kerberos had many operation problems while using with HDFS and now we no longer use it.

 

Thanks in advance,

Ravi