Configure FreeIPA

In addition to MIT Kerberos and Active Directory, Cloudera Data Science Workbench also supports FreeIPA as an identity management system. However, this support comes with one major caveat: if your Kerberos configuration file (/etc/krb5.conf) contains references to any external files that reside on the host operating system, Kerberos authentication could fail. This is because those files will not automatically be mounted into the engines where Cloudera Data Science Workbench runs workloads. As a result, any utilities or plugins referenced in this manner will not work.

Therefore, to enable FreeIPA support you must perform the following steps.

  1. Modify krb5.conf to remove references to external files
    You do not need to edit the krb5.conf file on the host operating system. Instead, make a copy of the file, and make your changes there. Points to note:
    include and includedir directives

    While the include and includedir directives do typically reference external files, CDSW does account for those directives. Therefore, they are safe to use and no changes need to be made here.

    [plugins] directives
    The [plugins] will always refer to a shared library on the host, which will not be available inside engines. An example of this is:
    [plugins]
    localauth = { 
    module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
    }
    You must remove the entire [plugins] section from krb5.conf. It is not needed for the commands used by Cloudera Data Science Workbench.
    PKINIT
    The PKINIT option can also point to external files which will not exist by default in CDSW engines. An example of such a configuration is:
    [libdefaults]
        EXAMPLE.COM = {
            pkinit_anchors = FILE:/usr/local/example.com.crt
        }
    If the realm that uses PKINIT is not one that CDSW users will need a keytab for, it can be removed from the krb5.conf file. Otherwise, users will need to create a keytab outside of CDSW and upload it to the Settings > Hadoop Authentication page.
    default_ccache_name directive
    A default_ccache_name using the Linux-specific KEYRING directive does not work with Cloudera Data Science Workbench. An example of this line is:
    default_ccache_name = KEYRING:persistent:%

    You must remove this line from the krb5.conf file; the default value will work properly inside CDSW engines.

  2. Copy the contents of krb5.conf to the Site Administration panel
    1. Log into Cloudera Data Science Workbench as a site administrator.
    2. Click Admin > Security.
    3. Copy the contents of the modified krb5.conf from Step 1 to the Kerberos Configuration text box. Click Update.

      The contents of this text box will now be used as the krb5.conf file in engines launched for user workloads.