62f685ff69
### _Why are the changes needed?_ fix #2157 cofiguration format error ### _How was this patch tested?_ - [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible - [ ] Add screenshots for manual tests if appropriate - [x] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request Closes #2165 from jiaoqingbo/2156-followup. Closes #2156 9862ddb2 [jiaoqingbo] [KYUUBI #2156][FOLLOWUP] Fix configuration format in document 47157c5c [jiaoqingbo] Merge branch 'master' into 2156-followup 9c89c081 [jiaoqingbo] [KYUUBI #2156][FOLLOWUP]fix cofiguration format 46084328 [jiaoqingbo] Merge branch 'master' into 2156 96a22e59 [jiaoqingbo] add link to doc dc11a214 [jiaoqingbo] [KYUUBI #2156] Change log to reflect exactly why getting token failed Authored-by: jiaoqingbo <1178404354@qq.com> Signed-off-by: Cheng Pan <chengpan@apache.org>
6.3 KiB
Kyuubi Authentication Mechanism
In a secure cluster, services should be able to identify and authenticate callers. As the fact that the user claims does not necessarily mean this is true.
The authentication process of Kyuubi is used to verify the user identity that a client used to talk to the Kyuubi server. Once done, a trusted connection will be set up between the client and server if successful; otherwise, rejected.
Note that, this authentication only authenticate whether a user can connect with Kyuubi server or not. For other secured services that this user wants to interact with, he/she also needs to pass the authentication process of each service, for instance, Hive Metastore, YARN, HDFS.
In $KYUUBI_HOME/conf/kyuubi-defaults.conf, specify kyuubi.authentication to one of the authentication types listing below.
| Key | Default | Meaning | Since |
|---|---|---|---|
kyuubi.authentication |
NONE |
Client authentication types.
|
1.0.0 |
| Key | Default | Meaning | Since |
|---|---|---|---|
kyuubi.authentication |
NONE |
Client authentication types.
|
1.0.0 |
kyuubi.authentication.ldap.base.dn |
<undefined> |
LDAP base DN. |
1.0.0 |
kyuubi.authentication.ldap.domain |
<undefined> |
LDAP base DN. |
1.0.0 |
kyuubi.authentication.ldap.url |
<undefined> |
SPACE character separated LDAP connection URL(s). |
1.0.0 |
kyuubi.authentication.sasl.qop |
auth |
Sasl QOP enable higher levels of protection for Kyuubi communication with clients.
|
1.0.0 |
Using KERBEROS
If you are deploying Kyuubi with a kerberized Hadoop cluster, it is strongly recommended that kyuubi.authentication should be set to KERBEROS too.
Kerberos is a network authentication protocol that provides the tools of authentication and strong cryptography over the network. The Kerberos protocol uses strong cryptography so that a client or a server can prove its identity to its server or client across an insecure network connection. After a client and server have used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business.
The Kerberos architecture is centered around a trusted authentication service called the key distribution center, or KDC. Users and services in a Kerberos environment are referred to as principals; each principal shares a secret, such as a password, with the KDC.
Following configurations also need to be set to enable KERBEROS authentication:
| Key | Default | Meaning | Since |
|---|---|---|---|
kyuubi.kinit.principal |
<undefined> |
Name of the Kerberos principal. |
1.0.0 |
kyuubi.kinit.keytab |
<undefined> |
Location of Kyuubi server's keytab. |
1.0.0 |
kyuubi.kinit.interval |
PT1H |
How often will Kyuubi server run kinit -kt [keytab] [principal] to renew the local Kerberos credentials cache |
1.0.0 |
kyuubi.kinit.max.attempts |
10 |
How many times will kinit process retry |
1.0.0 |
Please refer to Kinit Auxiliary Service to get configuration steps.