In addition to MIT Kerberos and Active Directory, Cloudera Data Science Workbench also
supports FreeIPA as an identity management system. However, this support comes with one major
caveat: if your Kerberos configuration file (/etc/krb5.conf) contains
references to any external files that reside on the host operating system, Kerberos
authentication could fail. This is because those files will not automatically be mounted into
the engines where Cloudera Data Science Workbench runs workloads. As a result, any utilities or
plugins referenced in this manner will not work.
To enable FreeIPA support you must perform the following steps.
Modify krb5.conf to remove references to external
files
You do not need to edit the krb5.conf file on the
host operating system. Instead, make a copy of the file, and make
your changes there. Points to note:
include and includedir
directives
While the include and
includedir directives do typically
reference external files, CDSW does account for those
directives. Therefore, they are safe to use and no changes
need to be made here.
[plugins] directives
The [plugins] will always refer to a shared library on the
host, which will not be available inside engines. An example
of this
is:
If
the realm that uses PKINIT is not one that CDSW users will
need a keytab for, it can be removed from the
krb5.conf file. Otherwise, users will need
to create a keytab outside of CDSW and upload it to the
Settings >
Hadoop Authentication page.
default_ccache_name directive
A default_ccache_name using the
Linux-specific KEYRING directive does not
work with Cloudera Data Science Workbench. An example of this
line
is:
default_ccache_name = KEYRING:persistent:%
You must remove this line from the
krb5.conf file; the default value will
work properly inside CDSW engines.
Copy the contents of krb5.conf to the Site Administration
panel
Log into Cloudera Data Science Workbench as a site
administrator.
Click Admin >
Security.
Copy the contents of the modified krb5.conf
from Step 1 to the Kerberos Configuration text box. Click
Update.
The contents of this text
box will now be used as the krb5.conf file in
engines launched for user workloads.