No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FusionInsight HD V100R002C60SPC200 Product Description 06

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
KrbServer and LdapServer

KrbServer and LdapServer

Basic Concept

Introduction

To manage the access control rights on data and resources in a FusionInsight cluster, it is recommended that the cluster of the Huawei FusionInsight platform be installed in security mode. In security mode, a client application must be authenticated and a secure session must be established before the application accesses any resource in a FusionInsight cluster. FusionInsight uses KrbServer to provide the Kerberos authentication function for all components, thereby implementing reliable authentication mechanisms.

LdapServer supports the Lightweight Directory Access Protocol (LDAP) to provide user and user group data saving capabilities for Kerberos authentication.

Architecture

The FusionInsight security authentication function during user login mainly depends on Kerberos and LDAP.

Figure 2-4 Security authentication scenario architecture

Figure 2-4 includes three scenarios:

  • Logging in to the FusionInsight Manager WebUI

    The authentication architecture includes steps 1, 2, 3, and 4.

  • Logging in to a component WebUI

    The authentication architecture includes steps 5, 6, 7, and 8.

  • Access between components

    The authentication architecture includes step 9.

Table 2-3 Key modules

Name

Description

Manager

FusionInsight Manager

Manager WS

FusionInsight WebBrowser

Kerberos1

KrbServer (management plane) service deployed in FusionInsight Manager, that is, OMS Kerberos

Kerberos2

KrbServer (service plane) service deployed in the cluster

LDAP1

LdapServer (management plane) service deployed in FusionInsight Manager, that is, OMS LDAP

LDAP2

LdapServer (management plane) service deployed in the cluster

Kerberos1 accessing LDAP data: Kerberos1 accesses the active and standby LDAP1 instances and the active and standby LDAP2 instances in load balancing mode. Kerberos1 can perform data write operations only on the active LDAP2 instance but can perform data read operations on LDAP1 or LDAP2.

Kerberos2 accessing LDAP data: Kerberos2 can only access the active and standby LDAP2 instances and can only perform data write operations on the active LDAP2 instance.

Principle

Kerberos authentication

Figure 2-5 Authentication process

LDAP data read and write

Figure 2-6 Data modification process

LDAP data synchronization

  • OMS LDAP data synchronization before cluster installation
    Figure 2-7 OMS LDAP data synchronization

    Data synchronization direction before cluster installation: Data is synchronized from the active OMS LDAP to the standby OMS LDAP.

  • LDAP data synchronization after cluster installation
    Figure 2-8 LDAP data synchronization

    Data synchronization direction after cluster installation: Data is synchronized from the active LDAP to the standby LDAP, active OMS LDAP, and standby OMS LDAP.

Translation
Download
Updated: 2019-04-10

Document ID: EDOC1000104139

Views: 6005

Downloads: 64

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next