No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FusionInsight HD 6.5.0 Administrator Guide 02

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Authentication Policies

Authentication Policies

The Huawei big data platform performs user identity authentication to prevent invalid users from accessing the cluster. The cluster provides authentication capabilities in both Security Mode and Normal mode.

Security Mode

The cluster in Security Mode uses the Kerberos authentication protocol to perform security authentication. The Kerberos protocol supports mutual authentication between the client and the server. This improves security and eliminates the security risks causes by using the network to send user credentials to simulate authentication. In FusionInsight HD, KrbServer provides Kerberos authentication support.

Kerberos user object

In the Kerberos protocol, a user object is a principal. A complete user object consists of a username and domain name. In O&M management or application development scenarios, a user can connect to the cluster server only after the user is authenticated on the client. In O&M and service scenarios, Human-machine and Machine-machine users are used. The difference between Human-machine and Machine-machine users is that the passwords of Machine-machine users are randomly generated by the system.

Kerberos authentication

The Kerberos authentication supports two modes: password authentication mode and keytab authentication mode. The validity period of authentication is 24 hours by default.

  • Password authentication: Identity authentication is performed by entering the correct password of a user. This mode is mainly used in O&M management scenarios where Human-machine users are used. The command is kinit Username.
  • Keytab authentication: The keytab file includes the user principal and encryption information of user credentials. When the keytab file is used for authentication, the system automatically uses encrypted credential information to perform authentication and the user password does not need to be entered. This mode is mainly used in component application development scenarios where Machine-machine users are used. The keytab file can also be used in the kinit command.

Normal Mode

When the cluster is in Normal Mode, different components use different open-source authentication mechanisms, and the kinit authentication command is not supported. FusionInsight Manager (including DBService, KrbServer, and LdapServer) uses the username and password authentication mode. Table 7-1 lists the authentication mechanisms used by components.

Table 14-1 Component authentication modes

Service

Authentication Mode

Flume

No authentication

FTP-Server

Username and password authentication

HBase

  • WebUI: No authentication
  • Client: Simple authentication

HDFS

  • WebUI: No authentication
  • Client: Simple authentication

Hive

Simple authentication

Hue

Username and password authentication

Kafka

No authentication

Loader

  • WebUI: Username and password authentication
  • Client: No authentication

Mapreduce

  • WebUI: No authentication
  • Client: No authentication

Metadata

Username and password authentication

Oozie

  • WebUI: Username and password authentication
  • Client: Simple authentication

Redis

No authentication

SmallFS

Simple authentication

Solr

No authentication

Spark

  • WebUI: No authentication
  • Client: Simple authentication

Storm

No authentication

Yarn

  • WebUI: No authentication
  • Client: Simple authentication

ZooKeeper

Simple authentication

The authentication modes are described as follows:

  • Simple authentication: During the connection from the client to the server, the execution user on the client (such as the OS user root or omm) is used for automatic authentication by default. Administrators or service users are unaware of the authentication and do not need to run the kinit command to perform the authentication.
  • Username and password authentication: The usernames and passwords of Human-machine users are used for authentication.
  • No authentication: Any user can access the server by default.
Download
Updated: 2019-05-17

Document ID: EDOC1100074522

Views: 5855

Downloads: 12

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next