[GitHub] incubator-hawq-docs pull request #132: add support for active directory KDC ...

Thu, 26 Oct 2017 12:48:40 -0700 

Github user lisakowen commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq-docs/pull/132#discussion_r147247794
  
    --- Diff: markdown/clientaccess/kerberos-userauth.html.md.erb ---
    @@ -0,0 +1,459 @@
    +---
    +title: Configuring Kerberos User Authentication for HAWQ
    +---
    +
    +<!--
    +Licensed to the Apache Software Foundation (ASF) under one
    +or more contributor license agreements.  See the NOTICE file
    +distributed with this work for additional information
    +regarding copyright ownership.  The ASF licenses this file
    +to you under the Apache License, Version 2.0 (the
    +"License"); you may not use this file except in compliance
    +with the License.  You may obtain a copy of the License at
    +
    +  http://www.apache.org/licenses/LICENSE-2.0
    +
    +Unless required by applicable law or agreed to in writing,
    +software distributed under the License is distributed on an
    +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    +KIND, either express or implied.  See the License for the
    +specific language governing permissions and limitations
    +under the License.
    +-->
    +
    +When Kerberos authentication is enabled at the user level, HAWQ uses the 
Generic Security Service Application Program Interface \(GSSAPI\) to provide 
automatic authentication \(single sign-on\). When HAWQ uses Kerberos user 
authentication, HAWQ itself and the HAWQ users \(roles\) that require Kerberos 
authentication require a principal and keytab. When a user attempts to log in 
to HAWQ, HAWQ uses its Kerberos principal to connect to the Kerberos server, 
and presents the user's principal for Kerberos validation. If the user 
principal is valid, login succeeds and the user can access HAWQ. Conversely, 
the login fails and HAWQ denies access to the user if the principal is not 
valid.
    +
    +When HAWQ utilizes Kerberos for user authentication, it uses a standard 
principal to connect to the Kerberos KDC. The format of this principal is 
`postgres/<FQDN_of_master>@<realm>`, where \<FQDN\_of\_master\> refers to the 
fully qualified distinguish name of the HAWQ master node.
    +
    +(You may choose to configure HAWQ user principals before you enable 
Kerberos user authentication for HAWQ. See [Configuring Kerberos-Authenticated 
HAWQ Users](#hawq_kerb_user_cfg).)
    +
    +The procedure to configure Kerberos user authentication for HAWQ includes:
    +
    +If you use an MIT Kerberos KDC Server:  
    +**Step 1a**: [Configuring the HAWQ Principals using an MIT KDC 
Server](#hawq_kerb_cfg_mitkdc)  
    +
    +If you use an Active Directory Kerberos KDC Server:  
    +**Step 1b**: [Configuring the HAWQ Principal using an AD KDC 
Server](#hawq_kerb_cfg_adkdc)  
    +
    +**Step 2**: [Configuring HAWQ to use Kerberos 
Authentication](#hawq_kerb_cfg)  
    +**Step 3**: [Configuring Kerberos-Authenticated HAWQ 
Users](#hawq_kerb_user_cfg)  
    +**Step 4**: [Authenticating User Access to HAWQ](#hawq_kerb_dbaccess)  
    +
    +## <a id="hawq_kerb_cfg_mitkdc"></a>Step 1a: Configuring the HAWQ 
Principals using an MIT KDC Server
    +
    +Perform the following procedure to configure HAWQ Kerberos and `gpadmin` 
principals when you are using an MIT KDC server. 
    +
    +**Note**: Some operations may differ based on whether or not you have 
configured secure HDFS. These operations are called out below.
    +
    +1. Log in to the Kerberos KDC server system:
    +
    +    ``` shell
    +    $ ssh root@<kdc-server>
    +    root@kdc-server$ 
    +    ```
    +
    +2. Create a keytab entry for the HAWQ `postgres/<master>` principal using 
the `kadmin.local` command. Substitute the HAWQ master node fully qualified 
distinguished hostname and your Kerberos realm. For example:
    +
    +    ``` shell
    +    root@kdc-server$ kadmin.local -q "addprinc -randkey 
postgres/<master>@REALM.DOMAIN"
    +    ```
    +    
    +    The `addprinc` command adds the principal `postgres/<master>` to the 
KDC managing your \<realm\>.
    +
    +3. Generate a keytab file for the HAWQ `postgres/<master>` principal. 
Provide the same name you used to create the principal.
    +
    +    **If you have configured Kerberos for your HDFS filesystem**, add the 
keytab to the HAWQ client HDFS keytab file:
    +    
    +    ``` shell
    +    root@kdc-server$ kadmin.local -q "xst -norandkey -k 
/etc/security/keytabs/hawq.service.keytab postgres/<master>@REALM.DOMAIN"
    +    ```
    +    
    +    **Otherwise**, generate a new file for the keytab:
    +
    +    ``` shell
    +    root@kdc-server$ kadmin.local -q "xst -norandkey -k hawq-krb5.keytab 
postgres/<master>@REALM.DOMAIN"
    +    ```
    +
    +4. Use the `klist` command to view the key you just generated:
    +
    +    ``` shell
    +    root@kdc-server$ klist -ket ./hawq-krb5.keytab
    +    ```
    +    
    +    Or:
    +    
    +    ``` shell
    +    root@kdc-server$ klist -ket /etc/security/keytabs/hawq.service.keytab
    +    ```
    +    
    +    The `-ket` option lists the keytabs and encryption types in the 
identified key file.
    +
    +5. When you enable Kerberos user authentication for HAWQ, you must create 
a Kerberos principal for `gpadmin` or another HAWQ administrative user. Create 
a Kerberos principal for the HAWQ `gpadmin` administrative role, substituting 
your Kerberos realm. For example:
    +
    +    ``` shell
    +    root@kdc-server$ kadmin.local -q "addprinc -pw changeme 
[email protected]"
    +    ```
    +    
    +    This `addprinc` command adds the principal `gpadmin` to the Kerberos 
KDC managing your \<realm\>. When you invoke `kadmin.local` as specified in the 
example above, `gpadmin` will be required to provide the password identified by 
the `-pw` option when authenticating. Alternatively, you can create a keytab 
file for the `gpadmin` principal and distribute the file to HAWQ client nodes.
    +
    +6. Copy the file in which you added the `postgres/<master>@<realm>` keytab 
to the HAWQ master node:
    +
    +    ``` shell
    +    root@kdc-server$ scp ./hawq-krb5.keytab gpadmin@<master>:/home/gpadmin/
    +    ```
    +    
    +    Or:
    +    
    +    ``` shell
    +    root@kdc-server$ scp /etc/security/keytabs/hawq.service.keytab 
gpadmin@<master>:/etc/security/keytabs/hawq.service.keytab
    +    ```
    +
    +## <a id="hawq_kerb_cfg_adkdc"></a>Step 1b: Configuring the HAWQ Principal 
using an AD KDC Server
    +
    +Perform the following procedure to configure a HAWQ Kerberos principal 
when you are using an AD KDC server.
    +
    +1. Log on to the Windows Active Directory Kerberos KDC server system as a 
user with administrator privileges.
    +
    +2. From the **Start** menu, select **Control Panel > Administrative Tools 
> Active Directory Users and Computers**. (If the **Active Directory Users and 
Computers** menu item is not available, the Active Directory service may not 
have been (correctly) installed.)
    +
    +    The **Active Directory Users and Computers** window displays.
    +
    +3. When you enable Kerberos user authentication for HAWQ, you must create 
a Kerberos principal for the `gpadmin` HAWQ administrative user. Use the left 
pane tree view to navigate to your Kerberos \<realm\> **Managed Service 
Accounts** folder, right-click, and select **New > User** to create a user with 
this name.
    +
    +    The **New Object - User** wizard displays.
    +   
    +4. Fill in the **New Object - User** fields:
    +
    +    **First name:**  gpadmin  
    --- End diff --
    
    i can make this a table if you want.  i was using the convention we used 
when we documented ranger UI steps.  see step 1d in this link:
    
    
http://docs-hdb-review.cfapps.io/review/hawq/ranger/ranger-kerberos.html#kerb_rps2ra_proc


---

Reply via email to