• MapReduce Service

mrs
  1. Help Center
  2. MapReduce Service
  3. User Guide
  4. Overview
  5. Functions
  6. Kerberos Authentication

Kerberos Authentication

Overview

To ensure data security for users, MRS clusters provide user identity verification and user authentication functions. To enable all verification and authentication functions, you must enable Kerberos authentication when creating the cluster.

Identity Verification

The user identity verification function verifies the identity of a user when the user performs O&M operations or accesses service data in a cluster.

If the user restarts services in an MRS cluster on MRS Manager, the user must enter the password of the current account on MRS Manager. For example, restart services and synchronize cluster configurations.

Authentication

Users with different identities may have different permissions to access and use cluster resources. To ensure data security, users must be authenticated after identity verification.

Identity Verification

Clusters that support Kerberos authentication use the Kerberos protocol for identity verification. The Kerberos protocol supports mutual verification between clients and servers. This eliminates the risks incurred by sending user credentials over the network for simulated verification. In MRS clusters, KrbServer provides the Kerberos authentication function.

Kerberos User Object

In the Kerberos protocol, each user object is a principal. A complete principal consists of two parts: username and domain name. In O&M or application development scenarios, the user identity must be verified before a client connects to a server. Users for O&M and service operations in MRS clusters are classified into Human-machine and Machine-machine users. The password of Human-machine users is manually configured, while the password of Machine-machine users is generated by the system randomly.

Kerberos Authentication

Kerberos supports two authentication modes: password and keytab. The default verification validity period is 24 hours.

  • Password verification: User identity is verified by inputting the correct password. This mode mainly applies to O&M scenarios where Human-machine users are used. The configuration command is kinit user name.
  • Keytab verification: Keytab files contain users' security information. During keytab verification, the system automatically uses the encrypted credential information for verification. Users do not need to enter the password. This mode mainly applies to component application development scenarios where Machine-machine users are used. Keytab verification can also be configured using the kinit command.

Authentication

After identity verification for users, the MRS system also authenticates the users to ensure that they have limited or full permission on cluster resources. If a user does not have the permission for accessing cluster resources, the system administrator must grant the required permission to the user. Otherwise, the user fails to access the resources.