Scribd
Upload
112 views

Big Data Authentication Architecture PDF

This document proposes setting up an authentication architecture for three Hadoop clusters using Red Hat Identity Management (IdM/IPA). It involves setting up an IPA server pair for DNS, Kerberos, and LDAP services. A one-way trust from Active Directory to IPA will allow credentials to sync. IPA will centralize sudo rules, application IDs, and user management. The domains will have the same name but different realms (e.g. dev.dmt.rogers.com and DEV.DMT.ROGERS.COM). LDAPS with AES256/128 encryption will be used. SSSD will cache credentials across the clusters.

Uploaded by

Anonymous iz83EL9
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
112 views

Big Data Authentication Architecture PDF

This document proposes setting up an authentication architecture for three Hadoop clusters using Red Hat Identity Management (IdM/IPA). It involves setting up an IPA server pair for DNS, Kerberos, and LDAP services. A one-way trust from Active Directory to IPA will allow credentials to sync. IPA will centralize sudo rules, application IDs, and user management. The domains will have the same name but different realms (e.g. dev.dmt.rogers.com and DEV.DMT.ROGERS.COM). LDAPS with AES256/128 encryption will be used. SSSD will cache credentials across the clusters.

Uploaded by

Anonymous iz83EL9
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Big Data Authentication Architecture

Big Data Authentication Proposal


Presented to Active Directory team

By

Ron Burnette, Big Data Consultant, Oalva, Inc.


Rajeev Ratnalingam, Hadoop Administrator
Fraser Campbell, Hadoop Administrator

Monday, August 29, 2016 11:00am EDT


Brampton SE2.B08.14
Big Data Authentication Architecture

Goals:
• Set up Red Hat Identity Management (IdM/IPA) server pair (fault-tolerant) to provide DNS, Kerberos KDC and
LDAP services for the three Hadoop clusters managed by the DMT group.
 Development, Production, SAS Production

• Obtain approval from AD team to set up a one-way trust from AD to our IPA server

• Build new Development Hadoop environment – will have its own KDC and we’ll use a trust to connect it to IPA

• Upgrade existing Production cluster to latest version from Hadoop vendor; Authenticate through IPA

• Install and configure Ranger for fine-grained access control of HDP resources (HDFS, YARN, Hive, Hbase)

• Migrate SAS cluster authentication to new IPA-based setup

• Clean up naming standards in domains and realms


Big Data Authentication Architecture

Key factors:
• Domain name and realm name will be the same except realm is in caps

• IPA domain will be dmt.rogers.com

• Hadoop environments will be on subdomains under dmt.rogers.com


 dev.dmt.rogers.com, prod.dmt.rogers.com

• IPA server names must resolve forward and backward for IPA to install properly

• SSSD will be used to cache user credentials, integrate with sudo rules and Host-based access control
Big Data Authentication Architecture

Authentication protocols and encryption type:


• LDAPS will be used with SSL/TLS (CA certificate from AD)

• Encryption type will be aes256 and aes128


Big Data Authentication Architecture

Active
Directory

One-way trust from AD to IPA for


user credentials

IPA centralizes:
RedHat Sudo rules
DNS=dmt.rogers.com
Realm=DMT.ROGERS.COM IdM/IPA App IDs
SSSD KDC User Management
Host-based Access Control (via SSSD)

Dev HDP Prod HDP Prod SAS HDP


SSSD caches users Cluster Cluster Cluster
and credentials SSSD KDC SSSD KDC SSSD KDC

DNS=dev.dmt.rogers.com DNS=prod.dmt.rogers.com DNS=sas.dmt.rogers.com


Realm=DEV.DMT.ROGERS.COM Realm=PROD.DMT.ROGERS.COM Realm=SAS.DMT.ROGERS.COM
Big Data Authentication Architecture

Any questions?

You might also like