apache/kyuubi
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity
85efd821eb
kyuubi/docs/security/authentication.md
Cheng Pan e49ff88305
[KYUUBI #390] Replace abbr in doc 
![pan3793](https://badgen.net/badge/Hello/pan3793/green) [![Closes #390](https://badgen.net/badge/Preview/Closes%20%23390/blue)](https://github.com/yaooqinn/kyuubi/pull/390) ![20](https://badgen.net/badge/%2B/20/red) ![20](https://badgen.net/badge/-/20/green) ![1](https://badgen.net/badge/commits/1/yellow) ![Target Issue](https://badgen.net/badge/Missing/Target%20Issue/ff0000) ![Test Plan](https://badgen.net/badge/Missing/Test%20Plan/ff0000) [&#10088;?&#10089;](https://pullrequestbadge.com/?utm_medium=github&utm_source=yaooqinn&utm_campaign=badge_info)<!-- PR-BADGE: PLEASE DO NOT REMOVE THIS COMMENT -->

<!--
Thanks for sending a pull request!

Here are some tips for you:
  1. If this is your first time, please read our contributor guidelines: https://kyuubi.readthedocs.io/en/latest/community/contributions.html
  2. If the PR is related to an issue in https://github.com/yaooqinn/kyuubi/issues, add '[KYUUBI #XXXX]' in your PR title, e.g., '[KYUUBI #XXXX] Your PR title ...'.
  3. If the PR is unfinished, add '[WIP]' in your PR title, e.g., '[WIP][KYUUBI #XXXX] Your PR title ...'.
-->

### _Why are the changes needed?_
<!--
Please clarify why the changes are needed. For instance,
  1. If you add a feature, you can talk about the use case of it.
  2. If you fix a bug, you can clarify why it is a bug.
-->

### _How was this patch tested?_
- [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible

- [ ] Add screenshots for manual tests if appropriate

- [ ] [Run test](https://kyuubi.readthedocs.io/en/latest/tools/testing.html#running-tests) locally before make a pull request

Closes #390 from pan3793/doc.

4b7cdf2 [Cheng Pan] replace abbr in doc

Authored-by: Cheng Pan <379377944@qq.com>
Signed-off-by: Kent Yao <yao@apache.org>
2021-03-03 22:04:32 +08:00

5.2 KiB
Raw Blame History

Kyuubi Authentication Mechanism

In a secure cluster, services should be able to identify and authenticate callers. As the fact that the user claims does not necessarily mean this is true.

The authentication process of Kyuubi is used to verify the user identity that a client used to talk to the Kyuubi server. Once done, a trusted connection will be set up between the client and server if successful; otherwise, rejected.

Note that, this authentication only authenticate whether a user can connect with Kyuubi server or not. For other secured services that this user wants to interact with, he/she also needs to pass the authentication process of each service, for instance, Hive Metastore, YARN, HDFS.

In $KYUUBI_HOME/conf/kyuubi-defaults.conf, specify kyuubi.authentication to one of the authentication types listing below.

Key Default Meaning Since
kyuubi.authentication
NONE
Client authentication types.
  • NOSASL: raw transport.
  • NONE: no authentication check.
  • KERBEROS: Kerberos/GSSAPI authentication.
  • LDAP: Lightweight Directory Access Protocol authentication.
1.0.0
Key Default Meaning Since
kyuubi.authentication
NONE
Client authentication types.
  • NOSASL: raw transport.
  • NONE: no authentication check.
  • KERBEROS: Kerberos/GSSAPI authentication.
  • LDAP: Lightweight Directory Access Protocol authentication.
1.0.0
kyuubi.authentication
.ldap.base.dn
<undefined>
LDAP base DN.
1.0.0
kyuubi.authentication
.ldap.domain
<undefined>
LDAP base DN.
1.0.0
kyuubi.authentication
.ldap.url
<undefined>
SPACE character separated LDAP connection URL(s).
1.0.0
kyuubi.authentication
.sasl.qop
auth
Sasl QOP enable higher levels of protection for Kyuubi communication with clients.
  • auth - authentication only (default)
  • auth-int - authentication plus integrity protection
  • auth-conf - authentication plus integrity and confidentiality protection. This is applicable only if Kyuubi is configured to use Kerberos authentication.
1.0.0

Using KERBEROS

If you are deploying Kyuubi with a kerberized Hadoop cluster, it is strongly recommended that kyuubi.authentication should be set to KERBEROS too.

Kerberos is a network authentication protocol that provides the tools of authentication and strong cryptography over the network. The Kerberos protocol uses strong cryptography so that a client or a server can prove its identity to its server or client across an insecure network connection. After a client and server have used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business.

The Kerberos architecture is centered around a trusted authentication service called the key distribution center, or KDC. Users and services in a Kerberos environment are referred to as principals; each principal shares a secret, such as a password, with the KDC.

Set following for KERBEROS mode:

Key Default Meaning Since
kyuubi.kinit
.principal
<undefined>
Name of the Kerberos principal.
1.0.0
kyuubi.kinit.keytab
<undefined>
Location of Kyuubi server's keytab.
1.0.0

For example,

  • Configure with Kyuubi service principal
kyuubi.authentication=KERBEROS
kyuubi.kinit.principal=spark/kyuubi.apache.org@KYUUBI.APACHE.ORG
kyuubi.kinit.keytab=/path/to/kyuuib.keytab
  • Start Kyuubi
$ ./bin/kyuubi start
  • Kinit with user principal and connect using beeline
$ kinit -kt user.keytab user.principal

$ beeline -u "jdbc:hive2://localhost:10009/;principal=spark/kyuubi.apache.org@KYUUBI.APACHE.ORG"