Hadoop Authentication with FreeIPA for ML Workspaces

CDP uses FreeIPA to provide centralised identity management. FreeIPA combines four identity management capabilities: an LDAP user directory, a Kerberos KDC, a DNS server for shared services, and a shared Certificate Authority. This method of identity management, where your users/groups are maintained in FreeIPA and passwords are authenticated via SSO to Active Directory, provides the infrastructure needed for CDP services, without requiring you to expose your AD over the network.

This procedure is required if you want to run Spark workloads in an ML workspace.

  1. Gather your FreeIPA credentials from the CDP Management Console.
    1. Log in to the CDP web interface at https://console.us-west-1.cdp.cloudera.com using your corporate credentials or any other credentials that you received from your CDP administrator.
    2. From the bottom-left corner of the navigation bar, click on your username and go to your user profile.
    3. Click Set FreeIPA Password and set a password.
    4. Make a note of the following credentials. These will be required later.
      • The workload cluster username that is available in the Workload User Name field on your profile page.
      • The FreeIPA password configured in the previous step.
  2. Click ML Workspaces and navigate to your ML workspace.
  3. Go to the top-right dropdown menu, click Account settings > Hadoop Authentication.
  4. Enter the FreeIPA credentials from step 1d and click Authenticate.
    • Kerberos Principal: <workload_username>
    • Password: FreeIPA password configured in the previous step.
Once successfully authenticated, Cloudera Machine Learning uses your stored credentials to ensure you are secure when running workloads.