To ensure data security for users, MRS clusters provide user identity verification and user authentication functions. To enable all verification and authentication functions, you must enable Kerberos authentication when creating the cluster.
The user identity verification function verifies the identity of a user when the user performs O&M operations or accesses service data in a cluster.
If the user restarts services in an MRS cluster on MRS Manager, the user must enter the password of the current account on MRS Manager. For example, restart services and synchronize cluster configurations.
Users with different identities may have different permissions to access and use cluster resources. To ensure data security, users must be authenticated after identity verification.
Clusters that support Kerberos authentication use the Kerberos protocol for identity verification. The Kerberos protocol supports mutual verification between clients and servers. This eliminates the risks incurred by sending user credentials over the network for simulated verification. In MRS clusters, KrbServer provides the Kerberos authentication function.
Kerberos User Object
In the Kerberos protocol, each user object is a principal. A complete principal consists of two parts: username and domain name. In O&M or application development scenarios, the user identity must be verified before a client connects to a server. Users for O&M and service operations in MRS clusters are classified into Human-machine and Machine-machine users. The password of Human-machine users is manually configured, while the password of Machine-machine users is generated by the system randomly.
Kerberos supports two authentication modes: password and keytab. The default verification validity period is 24 hours.
After identity verification for users, the MRS system also authenticates the users to ensure that they have limited or full permission on cluster resources. If a user does not have the permission for accessing cluster resources, the system administrator must grant the required permission to the user. Otherwise, the user fails to access the resources.