Using Kerberos Authentication

Kerberos is an encrpyted network authentication protocol for client/server applications. Kerberos is a complex subsystem. Detailing how to install and configure Kerberos itself is beyond the scope of this document. You should familiarize yourself with Kerberos concepts before configuring Kerberos for your HAWQ cluster. For more information about Kerberos, see http://web.mit.edu/kerberos/.

HAWQ supports Kerberos at both the HDFS and/or user authentication levels. You will perform distinct configuration procedures for each.

Kerberos provides a secure, encrypted authentication service. It does not encrypt data exchanged between the client and database and provides no authorization services. To encrypt data exchanged over the network, you must use an SSL connection. To manage authorization for access to HAWQ databases and objects such as schemas and tables, you assign privileges to HAWQ users and roles. For information about managing authorization privileges, see Overview of HAWQ Authorization.

Prerequisites

Before configuring Kerberos authentication for HAWQ, ensure that:

  • System time on the Kerberos server and HAWQ hosts is synchronized. (For example, install the ntp package on both servers.)
  • Network connectivity exists between the Kerberos server and all nodes in the HAWQ cluster.
  • Java 1.7.0_17 or later is installed on all nodes in your cluster. Java 1.7.0_17 is required to use Kerberos-authenticated JDBC on Red Hat Enterprise Linux 6.x or 7.x.
  • You can identify the Key Distribution Center (KDC) server you use for Kerberos authentication and the Kerberos realm in which your cluster resides.

    • If you plan to use an MIT Kerberos KDC Server but have not yet configured it, see Example: Setting up an MIT Kerberos KDC Server for example instructions.
    • If you are using an existing Active Directory KDC Server, also ensure that you have:

      • Installed all Active Directory service roles on your AD KDC server.
      • Enabled the LDAP service.

      Refer to the Using an Existing Active Directory Hortonworks documentation for additional preparation instructions.

Note: HAWQ supports Active Directory KDC servers only for Ambari-managed clusters. HAWQ does not support command-line-managed clusters employing an Active Directory KDC server.

Procedure

You can configure Kerberos for HAWQ for secure HDFS and for user authentication. You will perform different procedures for each: