Cloudera Docs

User Identity Requirements

Since Kerberos authentication is used to access Cloudera Hybrid Data Hubs and on-premises data lake services, usernames must align across both identity providers to ensure proper authentication and authorization.

For seamless access between Cloudera Hybrid Data Hubs and on-premises data lake services, user identities must be consistent across both environments. This requirement exists because a trust relationship is established between the FreeIPA cluster deployed in the cloud (as part of the hybrid environment) and the Identity Provider (e.g., Active Directory) used by the on-premise data lake.

Example

A user user1@env.cloudera.site from the hybrid environment attempts to access HDFS running on the on-premises data lake. FreeIPA manages the public cloud hybrid environment domain (env.cloudera.site).

When this occurs:

  1. FreeIPA issues a Kerberos token for user1@env.cloudera.site.

  2. The on-premises HDFS service attempts to validate this token with the Active Directory KDC.

    If user1 exists in the Active Directory but under the on-premises domain (e.g., user1@acme.ad.com), the token can still be accepted. This is possible because, during the Hybrid trust setup, the Kerberos auth_to_local user mappings are configured to map both identities to a common local user (user1).

  3. Access is granted when the mapping resolves successfully, allowing the public cloud user to securely interact with on-premises HDFS resources.

This configuration enables cross-realm authentication between cloud-based and on-premises environments while maintaining Kerberos security guarantees.