vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/mrs/umn/admin_guide_000237.html
Yang, Tong 2195db241c MRS UMN 20231220 version update 
Reviewed-by: Pruthi, Vineet <vineet.pruthi@t-systems.com>
Reviewed-by: Rechenburg, Matthias <matthias.rechenburg@t-systems.com>
Co-authored-by: Yang, Tong <yangtong2@huawei.com>
Co-committed-by: Yang, Tong <yangtong2@huawei.com>
2024-05-16 09:40:21 +00:00

103 lines
12 KiB
HTML
Raw Blame History

<a name="admin_guide_000237"></a><a name="admin_guide_000237"></a>
<h1 class="topictitle1">Authentication Policies</h1>
<div id="body1529658735918"><p id="admin_guide_000237__en-us_topic_0046736677_p39190879">The big data platform performs user identity authentication to prevent invalid users from accessing the cluster. The cluster provides authentication capabilities in both security mode and normal mode.</p>
<div class="section" id="admin_guide_000237__s00175c38235a4ba1ae0ba7a8060a1c3a"><h4 class="sectiontitle">Security Mode</h4><p id="admin_guide_000237__en-us_topic_0046736677_p12138304">The clusters in security mode use the Kerberos authentication protocol for security authentication. The Kerberos protocol supports mutual authentication between clients and servers. This eliminates the risks incurred by sending user credentials over the network for simulated authentication. In clusters, KrbServer provides the Kerberos authentication support.</p>
<p id="admin_guide_000237__en-us_topic_0046736677_p42135876"><strong id="admin_guide_000237__en-us_topic_0046344331_b935683819191831">Kerberos user object</strong></p>
<p id="admin_guide_000237__en-us_topic_0046736677_p48303235">In the Kerberos protocol, each user object is a principal. A complete principal consists of username and domain name. In O&amp;M or application development scenarios, the user identity must be verified before a client connects to a server. Users for O&amp;M and service operations are classified into human-machine and machine-machine users. The password of human-machine users is manually configured, while the password of machine-machine users is generated by the system randomly.</p>
<p id="admin_guide_000237__en-us_topic_0046736677_p32075938"><strong id="admin_guide_000237__b350775788113813">Kerberos authentication</strong></p>
<p id="admin_guide_000237__en-us_topic_0046736677_p29474473">Kerberos supports password and keytab authentication. The validity period of authentication is 24 hours by default.</p>
<ul id="admin_guide_000237__en-us_topic_0046736677_ul63943666"><li id="admin_guide_000237__en-us_topic_0046736677_li38622084">Password authentication: User identity is verified by entering the correct password. This mode mainly used in O&amp;M scenarios where human-machine users are used. The configuration command is <strong id="admin_guide_000237__en-us_topic_0046344331_b61946003795942">kinit</strong> <em id="admin_guide_000237__en-us_topic_0046344331_i125159657495942">Username</em>.</li><li id="admin_guide_000237__en-us_topic_0046736677_li36885620">Keytab authentication: Keytab files contain users' principal and encrypted credential information. When keytab files are used for authentication, the system automatically uses encrypted credential information to perform authentication and the user password does not need to be entered. This mode is mainly used in component application development scenarios where machine-machine users are used. Keytab authentication can also be configured using the <strong id="admin_guide_000237__en-us_topic_0046344331_b170450619510918">kinit</strong> command.</li></ul>
</div>
<div class="section" id="admin_guide_000237__sd1c4d2d0153c4fab9392c72f139211df"><h4 class="sectiontitle">Normal Mode</h4><p id="admin_guide_000237__en-us_topic_0046736677_p46071449">Different components in a normal cluster use the native open-source authentication mode and do not support the <strong id="admin_guide_000237__b17240184611445">kinit</strong> authentication command. <span id="admin_guide_000237__text67509419010">MRS</span> Manager (including DBService, KrbServer, and LdapServer) uses the username and password for authentication. <a href="#admin_guide_000237__t7abcbec3c9ea4f04b9e226dbe9d4ca38">Table 1</a> lists the authentication modes used by components.</p>
<div class="tablenoborder"><a name="admin_guide_000237__t7abcbec3c9ea4f04b9e226dbe9d4ca38"></a><a name="t7abcbec3c9ea4f04b9e226dbe9d4ca38"></a><table cellpadding="4" cellspacing="0" summary="" id="admin_guide_000237__t7abcbec3c9ea4f04b9e226dbe9d4ca38" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Component authentication modes</caption><thead align="left"><tr id="admin_guide_000237__en-us_topic_0046736677_row52681125"><th align="left" class="cellrowborder" valign="top" width="30%" id="mcps1.3.3.3.2.3.1.1"><p id="admin_guide_000237__en-us_topic_0046736677_p39312736">Service</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="70%" id="mcps1.3.3.3.2.3.1.2"><p id="admin_guide_000237__en-us_topic_0046736677_p30215023">Authentication Mode</p>
</th>
</tr>
</thead>
<tbody><tr id="admin_guide_000237__row19771317202215"><td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.3.3.2.3.1.1 "><p id="admin_guide_000237__p377117142219">ClickHouse</p>
</td>
<td class="cellrowborder" valign="top" width="70%" headers="mcps1.3.3.3.2.3.1.2 "><p id="admin_guide_000237__p27731713220">Simple authentication</p>
</td>
</tr>
<tr id="admin_guide_000237__en-us_topic_0046736677_row31497787"><td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.3.3.2.3.1.1 "><p id="admin_guide_000237__en-us_topic_0046736677_p1183915">Flume</p>
</td>
<td class="cellrowborder" valign="top" width="70%" headers="mcps1.3.3.3.2.3.1.2 "><p id="admin_guide_000237__en-us_topic_0046736677_p28788263">No authentication</p>
</td>
</tr>
<tr id="admin_guide_000237__en-us_topic_0046736677_row53330552"><td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.3.3.2.3.1.1 "><p id="admin_guide_000237__en-us_topic_0046736677_p24807479">HBase</p>
</td>
<td class="cellrowborder" valign="top" width="70%" headers="mcps1.3.3.3.2.3.1.2 "><ul id="admin_guide_000237__en-us_topic_0046736677_ul63248778"><li id="admin_guide_000237__en-us_topic_0046736677_li32368095">Web UI: No authentication</li><li id="admin_guide_000237__en-us_topic_0046736677_li22877402">Client: simple authentication</li></ul>
</td>
</tr>
<tr id="admin_guide_000237__en-us_topic_0046736677_row4570028"><td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.3.3.2.3.1.1 "><p id="admin_guide_000237__en-us_topic_0046736677_p34627969">HDFS</p>
</td>
<td class="cellrowborder" valign="top" width="70%" headers="mcps1.3.3.3.2.3.1.2 "><ul id="admin_guide_000237__en-us_topic_0046736677_ul53402119"><li id="admin_guide_000237__en-us_topic_0046736677_li10857028">Web UI: no authentication</li><li id="admin_guide_000237__en-us_topic_0046736677_li30604389">Client: simple authentication</li></ul>
</td>
</tr>
<tr id="admin_guide_000237__en-us_topic_0046736677_row7004053"><td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.3.3.2.3.1.1 "><p id="admin_guide_000237__en-us_topic_0046736677_p30457452">Hive</p>
</td>
<td class="cellrowborder" valign="top" width="70%" headers="mcps1.3.3.3.2.3.1.2 "><p id="admin_guide_000237__en-us_topic_0046736677_p51134510">Simple authentication</p>
</td>
</tr>
<tr id="admin_guide_000237__en-us_topic_0046736677_row57557412"><td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.3.3.2.3.1.1 "><p id="admin_guide_000237__en-us_topic_0046736677_p31638772">Hue</p>
</td>
<td class="cellrowborder" valign="top" width="70%" headers="mcps1.3.3.3.2.3.1.2 "><p id="admin_guide_000237__en-us_topic_0046736677_p12603749">Username and password authentication</p>
</td>
</tr>
<tr id="admin_guide_000237__en-us_topic_0046736677_row46324881"><td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.3.3.2.3.1.1 "><p id="admin_guide_000237__en-us_topic_0046736677_p61327894">Kafka</p>
</td>
<td class="cellrowborder" valign="top" width="70%" headers="mcps1.3.3.3.2.3.1.2 "><p id="admin_guide_000237__en-us_topic_0046736677_p1503503">No authentication</p>
</td>
</tr>
<tr id="admin_guide_000237__en-us_topic_0046736677_row13531531"><td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.3.3.2.3.1.1 "><p id="admin_guide_000237__en-us_topic_0046736677_p22312206">Loader</p>
</td>
<td class="cellrowborder" valign="top" width="70%" headers="mcps1.3.3.3.2.3.1.2 "><ul id="admin_guide_000237__en-us_topic_0046736677_ul62458233"><li id="admin_guide_000237__en-us_topic_0046736677_li25253189">Web UI: username and password authentication</li><li id="admin_guide_000237__en-us_topic_0046736677_li25952117">Client: no authentication</li></ul>
</td>
</tr>
<tr id="admin_guide_000237__en-us_topic_0046736677_row32242465"><td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.3.3.2.3.1.1 "><p id="admin_guide_000237__en-us_topic_0046736677_p61502840">MapReduce</p>
</td>
<td class="cellrowborder" valign="top" width="70%" headers="mcps1.3.3.3.2.3.1.2 "><ul id="admin_guide_000237__en-us_topic_0046736677_ul15674164"><li id="admin_guide_000237__en-us_topic_0046736677_li6849756">Web UI: no authentication</li><li id="admin_guide_000237__en-us_topic_0046736677_li61647805">Client: no authentication</li></ul>
</td>
</tr>
<tr id="admin_guide_000237__en-us_topic_0046736677_row26685362"><td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.3.3.2.3.1.1 "><p id="admin_guide_000237__en-us_topic_0046736677_p14030717">Oozie</p>
</td>
<td class="cellrowborder" valign="top" width="70%" headers="mcps1.3.3.3.2.3.1.2 "><ul id="admin_guide_000237__en-us_topic_0046736677_ul62746268"><li id="admin_guide_000237__en-us_topic_0046736677_li27845503">Web UI: username and password authentication</li><li id="admin_guide_000237__en-us_topic_0046736677_li49282936">Client: simple authentication</li></ul>
</td>
</tr>
<tr id="admin_guide_000237__en-us_topic_0046736677_row47176343"><td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.3.3.2.3.1.1 "><p id="admin_guide_000237__en-us_topic_0046736677_p63187419">Spark2x</p>
</td>
<td class="cellrowborder" valign="top" width="70%" headers="mcps1.3.3.3.2.3.1.2 "><ul id="admin_guide_000237__en-us_topic_0046736677_ul17907308"><li id="admin_guide_000237__en-us_topic_0046736677_li26948044">Web UI: no authentication</li><li id="admin_guide_000237__en-us_topic_0046736677_li41205809">Client: simple authentication</li></ul>
</td>
</tr>
<tr id="admin_guide_000237__en-us_topic_0046736677_row35307962"><td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.3.3.2.3.1.1 "><p id="admin_guide_000237__en-us_topic_0046736677_p41372713">Storm</p>
</td>
<td class="cellrowborder" valign="top" width="70%" headers="mcps1.3.3.3.2.3.1.2 "><p id="admin_guide_000237__en-us_topic_0046736677_p62855489">No authentication</p>
</td>
</tr>
<tr id="admin_guide_000237__en-us_topic_0046736677_row28828491"><td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.3.3.2.3.1.1 "><p id="admin_guide_000237__en-us_topic_0046736677_p53406450">YARN</p>
</td>
<td class="cellrowborder" valign="top" width="70%" headers="mcps1.3.3.3.2.3.1.2 "><ul id="admin_guide_000237__en-us_topic_0046736677_ul30955222"><li id="admin_guide_000237__en-us_topic_0046736677_li10161546">Web UI: no authentication</li><li id="admin_guide_000237__en-us_topic_0046736677_li24345054">Client: simple authentication</li></ul>
</td>
</tr>
<tr id="admin_guide_000237__en-us_topic_0046736677_row17778899"><td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.3.3.2.3.1.1 "><p id="admin_guide_000237__en-us_topic_0046736677_p30804749">ZooKeeper</p>
</td>
<td class="cellrowborder" valign="top" width="70%" headers="mcps1.3.3.3.2.3.1.2 "><p id="admin_guide_000237__en-us_topic_0046736677_p12156768">Simple authentication</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="admin_guide_000237__en-us_topic_0046736677_p42302050">The authentication modes are as follows:</p>
<ul id="admin_guide_000237__en-us_topic_0046736677_ul45174131"><li id="admin_guide_000237__en-us_topic_0046736677_li3913996">Simple authentication: When the client connects to the server, the client automatically authenticates the user (for example, the OS user <strong id="admin_guide_000237__b470596037113813">root</strong> or <strong id="admin_guide_000237__b629906678113813">omm</strong>) by default. The authentication is imperceptible to the administrator or service user, which does not require <strong id="admin_guide_000237__b11357152416131">kinit</strong>.</li><li id="admin_guide_000237__en-us_topic_0046736677_li48598242">Username and password authentication: Use the username and password of human-machine users in the cluster for authentication.</li><li id="admin_guide_000237__en-us_topic_0046736677_li34731002">No authentication: Any user can access the server by default.</li></ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="admin_guide_000234.html">Security Overview</a></div>
</div>
</div>
View Git Blame Copy Permalink