Apache Ambari Security
Also available as:
PDF
loading table of contents...

Configuring Ambari Server For Kerberos Authentication

About This Task

By default Ambari requires that a user authenticate using a user name and password. Ambari uses this authentication mechanism whether you configure it to authenticate using its internal database or synchronized with an external source, like LDAP or Active Directory. Optionally, you can configure Ambari to authenticate using Kerberos tokens via SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism).

Since Kerberos tokens represent authenticated Kerberos identities, Ambari tests the tokens against the configured KDC to validate them. Once this check passes, Ambari uses a set of rules to convert a user’s principal to a user name and then searches the internal database for a relevant user. User accounts may be local to Ambari or synchronized from an external source, such as an LDAP directory. If Ambari finds a relevant user, it bypasses the default user name and password login facility.

Ambari Server Kerberos authentication is not related to the Ambari feature that enables Kerberos for a Hadoop cluster. You may enable or disable Ambari Server Kerberos authentication, whether Kerberos is enabled or disabled on the rest of the cluster. If Kerberos was previously enabled in the Hadoop cluster, the infrastructure needed for Ambari Server Kerberos authentication will already be in place. For example, the krb5.conf file will be set up and the required SPNEGO principal and keytab file should be available.

Ambari Server Kerberos authentication requires that you configure the client properly to send Kerberos tickets via the "Authorization" HTTP request header. If Kerberos authentication is enabled, Ambari allows both Kerberos and password authentication. If authentication is not provided or fails, Ambari Server will send the appropriate response to instruct the client to send the Kerberos token.

For example, if using curl and Kerberos authentication is desired, the "negotiate" (--negotiate) option must be specified with an empty value for the username and password option (-u:)

curl --negotiate -u: ...

Web browsers do not typically handle Kerberos authentication without being configured to do so. Please refer to documentation for the specific browser to ensure it is configured to work with Kerberos.

Prerequisites

Before running the Kerberos authentication setup script:

  1. Collect the following information:

    PropertyValuesDescription
    authentication.kerberos.enabled

    true

    false (default)

    Determines whether to use Kerberos (SPNEGO) authentication when connecting Ambari
    authentication.kerberos.spnego.principalHTTP/_HOST (default)The Kerberos principal name to use when verifying user-supplied Kerberos tokens for authentication via SPNEGO.
    authentication.kerberos.spnego.keytab.file/etc/security/keytabs/spnego.service.keytab (default)The Kerberos keytab file to use when verifying user-supplied Kerberos tokens for authentication via SPNEGO.
    authentication.kerberos.user.types

    LDAP (default)

    Available values include:

    • LDAP

    • LOCAL

    • JWT

    • PAM

    A comma-delimited (ordered) list of preferred user types to use when finding the Ambari user account for the user-supplied Kerberos identity during authentication via SPNEGO.
    authentication.kerberos.auth_to_local.rulesDEFAULT (default)The auth-to-local rules set to use when translating a user's principal name to a local username during authentication via SPNEGO.

    Notes:

    - Auth-to-local rules must be separated by "\n", for example:

    authentication.kerberos.auth_to_local.rules=RULE:[1:$1@$0](ambari-server-c1@EXAMPLE.COM)s/.*/admin/\nDEFAULT

    - The SPNEGO principal should always be "HTTP/_HOST", and thus you should never need to set authentication.kerberos.spnego.principal except under special circumstances. The Ambari server replaces "_HOST" using the name of the Ambari Server host.

  2. Ensure the KDC or Active Directory is available.

  3. Set up the /etc/krb5.conf file to point to the relevant KDC (or Active Directory).

  4. Create a SPNEGO principal for the Ambari server host in the KDC.

    HTTP/hostname.example.com@EXAMPLE.COM

  5. Export the keytab for the created SPNEGO principal and place the keytab in a file (readable by the user that executes the Ambari server) at the following path

    /etc/security/keytabs/spnego.service.keytab

If Ambari was previously used to enable Kerberos for the Hadoop cluster, then steps 2 through 5 should already be complete. However, there is no requirement that the cluster be Kerberized to enable Kerberos authentication into Ambari.

Steps

  1. Execute the Kerberos authentication setup script:

    ambari-server setup-kerberos

  2. Provide or select an answer an each of following prompts:

    • Enable Kerberos authentication [true|false] (false):

      • Enter true to enable this feature.

      • Enter false to disable this feature.

    • SPNEGO principal (HTTP/_HOST):

      • Typically, leave (HTTP/_HOST) as the default value, where Ambari replaces _HOST, using the host name of the Ambari server.

        The default realm is appended automatically.

        You specified the host name value in prerequisite #3.

    • SPNEGO keytab file (/etc/security/keytabs/spnego.service.keytab):

      • Set the absolute path to the SPNEGO principal keytab file.

        This path is typically /etc/security/keytabs/spnego.service.keytab, but may be different depending on the value used in prerequisite #4.

    • User type search order [LDAP|LOCAL|JTW] (LDAP):

      • Set the comma-delimited preferred lookup order for Ambari user accounts based on their authentication source.

        If only a specific set of users are to be available for Kerberos authentication then only that one user type must be specified.

        For example, if only users synchronized from an LDAP server should be considered, LDAP should be specified.

    • Auth-to-local rules (DEFAULT):

      • Specify the rules to use to calculate the user name from the principal name parsed from the Kerberos token.

        The DEFAULT rule essentially results in the first component of the principal name. For example:

      • Any other rules required to accommodate other naming conventions must be delimited by "\n". For example,

        The rule set:

        RULE:[1:$1@$0](hadoopadm@EXAMPLE.COM")s/.*/admin/DEFAULT

        should be represented as:

        RULE:[1:$1@$0](hadoopadm@EXAMPLE.COM")s/.*/admin/\nDEFAULT

    • Review your settings and enter y if they are correct, or n if you need to restart the script to make corrections.

  3. Start or restart the Ambari server with the updated settings.

More Information

Configuring Ambari for LDAP or Active Directory Authentication

Creating auth-to-local rules