Authentication is a process that requires users and services to prove their identity when trying to access a system resource. Organizations typically manage user identity and authentication through various time-tested technologies, including Lightweight Directory Access Protocol (LDAP) for identity, directory, and other services, such as group management, and Kerberos for authentication.
Cloudera clusters support integration with both of these technologies. For example, organizations with existing LDAP directory services such as Active Directory (included in Microsoft Windows Server as part of its suite of Active Directory Services) can leverage the organization's existing user accounts and group listings instead of creating new accounts throughout the cluster. Using an external system such as Active Directory or OpenLDAP is required to support the user role authorization mechanism implemented in Cloudera Navigator.
For authentication, Cloudera supports integration with MIT Kerberos and with Active Directory, which includes Kerberos implementation for authentication. Kerberos provides strong authentication, strong meaning that cryptographic mechanisms—rather than passwords alone—are used in the exchange between requesting process and service during the authentication process.
These systems are not mutually exclusive. For example, Microsoft Active Directory is an LDAP directory service that also provides Kerberos authentication services, and Kerberos credentials can be stored and managed in an LDAP directory service. Cloudera Manager Server, CDH nodes, and Cloudera Enterprise components, such as Cloudera Navigator, Apache Hive, Hue, and Impala, can all make use of Kerberos authentication.
- Kerberos Security Artifacts Overview
- Configuring Authentication in Cloudera Manager
- Configuring Authentication for Cloudera Navigator
- Configuring Authentication in CDH Using the Command Line
- Configuring Authentication for Other Components
- Configuring a Cluster-dedicated MIT KDC with Cross-Realm Trust
- Integrating Hadoop Security with Active Directory