I'm very excited about the new update to Centrify Suite 2014. This is a maintenance update that brings in support for RHEL7 and Debian 7.5, 7.6 and derivatives of these popular platforms. It includes additional updates, but what really makes it exciting to me is a feature available in the agent for Mac OS X called Combo Join.
Combo join marks an interesting milestone that affects this blog. The merging of Centrify on-premise and Cloud offerings. Combo join addresses the needs of employees with the top-of-line AD integration and Bring Your Own Mac Scenarios for third parties (like contractors or partners).
A simple check-box = more management capabilities
Combo-join means having the ability to register a Mac both as an AD domain member and with the Centrify Cloud Service. This allows for two management possibilities:
The AD Group Policy-based Centrify agent GPOs (400+)
The Centrify Cloud Service policies that can be delivered via GPOs or via the cloud.
Architecturally they are different, one uses the mappers and the other users profile manager. Combo join is a simple check-box that extends the AD Join assistant:
Once joined to the cloud service, a profile is delivered that permits management via the cloud:
This means that now both IT and end-users (via the Centrify User Portal) can perform device management along with their iOS and Android devices and IT will be able to deliver configuration management in a different vehicle without requiring a hard domain join.
Users will be able to perform self-service device management
IT will have more flexibility delivering configuration management
Why is this a game changer?
From this point on, we need to include Centrify User Suite content in this blog and if I'm correct, this is just the beginning. Part of the reason why Centrify solutions are so easy to implement and are so cohesive is because they are developed in-house. Not having to deal with Frankenstein-like solution packages like some of the traditional vendors translates into faster deployments and an easier learning curve.
Expect a Cloud section with info about Server Suite plus sections on synergy between Mac, Server and User Suites.
This playlist also explains the challenges at the OS Level:
*********************************************************************************
As of February 2015 Centrify is gearing-up to release Centrify Suite 2015, with it, enhancements specific to Hadoop deployments are being released. To complement these efforts, integration guides for Cloudera, Hortonworks and MapR are being released, here are the first two:
These are more robust and well-researched papers. The article below from August 2014 will be left there for history purposes, but the post and the accompanying video outdated.
*********************************************************************************
Background
Big Data is one of the fastest spreading IT trends in the enterprise today, it's also a big reason why IT infrastructures have to provide elastic and secure infrastructures. Apache Hadoop (with value-added by Cloudera, Hortonworks, MapR, IBM and others) is gaining a lot of traction in enterprises that are looking to adopt Big Data.
What does this mean to the IT Infrastructure Manager?
More Linux servers
Need for more effective management
More systems that need to be aligned with security practices
Depending data classification, a mature access management model that allows the enforcement of the principles of least access, least privilege, separation of duties, quick attestation and optionally session capture and replay is required.
Customers of Centrify know that all the bullets above are not an issue with properly Centrified (*) systems.
(*) A mature Centrify deployment has no systems in Express mode, has discontinued the use of Classic zones and archaic provisioning methods like ZoneGen, and finally is using RBAC via Centrify-enhanced sudo. Recommendations:
If you are not familiar with terms like Kerberos authentication, keytabs, servicePrincipalName (SPN), userPrincipalName (UPN) and some of the differences between MIT Kerberos and Microsoft Kerberos, I recommend that you familiarize with those topics.
From a Hadoop perspective, leverage Hortonworks/Cloudera/MapR/IBM's professional services organizations. Hadoop is a broad topic and in my observation successful implementations have one thing in common: they get expert help. You are busy enough as it is just keeping-up with the day-by-day.
Keep in mind, the reason why we introducing Active Directory as an alternative to a stand-alone MIT Kerberos is for a simple reason: to eliminate duplication of capabilities. If you go the MIT Kerberos route, this means that you have to maintain two different technology environments + process + people implications. This just doesn't make sense.
If you feel comfortable with the topics above, you at least need to understand what the adkeytab utility is. This post covers adkeytab.
Centrify & AD = Faster Hadoop Implementation
If you've been following this blog, you probably realize the focus on Access Controls and to leverage your existing infrastructure (AD); this extends to Hadoop deployments as well. Because:
You already would have solved the Access and Privilege governance model at the OS level.
You don't need to add more complexity to your environment to enable Hadoop Security.
If you don't have a mature access and privileged model like local accounts or shared accounts, you don't want to continue to propagate the problem.
Hadoop leverages MIT Kerberos to enable security by Kerberizing its services. With Kerberos no passwords go through the wire and there are compensating controls for confidentiality, integrity and other threats.
What is the impact?
Hadoop providers will ask you to stand-up an MIT Kerberos environment to support your BigData deployment; a very simple ask, but with a large impact to the enterprise. Things to take into account:
Kerberos infrastructure - additional services that need to be highly available.
Additional process - add/moves/changes of principals as the nodes expand/contract/change
Potentially a Kerberos trust: If you want to leverage AD, you may need into the business of a Kerberos trust into AD. At least one provider has a recipe for this.
Push-back: Believe it or not, the idea of an additional authentication infrastructure is not going to be welcome by some IT groups.
This is where Centrify can help. Centrify provides the Kerberos environment and tools, services and utilities to extend your access model and accelerate the Hadoop deployment. With that in mind, let's apply the Plan-Do-Check-Adjust model.
Note: Keep in mind, Hadoop follows the MIT kerberos implementation to the letter. This means that there's no concept of multiple service principal names tied to an account (Unlike AD), therefore as of today, that implies that some services will require one account per service per node. I repeat now in AD terms: One AD Account/Keytab, Per Service, Per Node. This is where utilities like adkeytab can help in the automation process. Number of Accounts (Keytabs) = Shared Service Accounts + (Nodes * Unique Service Accounts) E.g. If you have a 50-node cluster that has 2 services that can share the same account/keytab and 5 services that require unique accounts/keytabs, this means that you will have 2 + 50*5 = 252 AD accounts/unique keytabs.
Believe it or not, the easy part is the technology, the hard part is the process and the automation required.
Planning to Secure your Hadoop Services with Centrify
Infrastructure vs. User Apps:
Kerberizing the servies like HDFS, MapReduce, Hive, Zookeeper, etc is just one piece of the puzzle, the user-level apps may have different access models. Many use OS users and groups and Centrify will have you covered, but this is a different design session.
What is the access model at the OS level? (may imply a different zone or set of computer groups)
What are the privileges (commands) for a Hadoop operator? (remember, with Centrify there's no need to share privileged account credentials) - continue to enforce the least privilege model with Centrify RBAC
Just like the Centrify agent, deploying Name Server Cache Daemon can improve performance.
Have a rock-solid naming convention for:
AD account names: remember the 20 character limit. Make sure that you can identify these accounts correctly in AD. Use a dedicated OU if you have a large cluster. Something like Environment-server-service general-to-specific can work. E.g. "mktqa-had01-spnego"
Keytab location and naming:
Keytab protocol:
Secure based on requirements at rest.
Always transport securely
Keep keytabs where they are needed ONLY.
Will the user accounts in AD have non-expiring randomized passwords or will the passwords be randomized after a period of time?
Does the account used for AD Service account/keytab generation have the proper rights in AD to create those users/principals?
What will be the automation strategy? Remember, using cleartext passwords in scripts or other facilities is a NO-NO, but adkeytab is kerberized; therefore you may need to provision a service account with the proper rights in AD and a keytab to be able to launch adkeytab in the automation script.
How are you implementing Hadoop? Is your team being trained? Succesful implementations (just like with Centrify) make use of consulting services; so leverage your Hortonworks, Cloudera or IBM experts. After all, how many Hadoop (or Centrify) deployments have you implemented? How much pure Kerberos knowledge do you have?
Implementation
In this example, we'll use Hortonworks Hadoop Ambari 1.6.x to enable Kerberos in a cluster. The domain is corp.contoso.com, the OU for service accounts is UNIX\Hadoop and the naming convention is servername-servicename.
Set up your system and join it to AD. Make sure you don't register an SPN for http because it will be used by Hadoop. This can be done: - Prior to the join: by editing the /etc/centrifydc/centrifydc.conf and modifying the adclient.krb5.service.principals directive and removing http. E.g. - After the join: Remove the SPN with ADUC or with adkeytab with the -x (delspn) option. adkeytab --delspn --principal http/hadoop1.corp.contoso.com -V Remember that you can check the service principals with the "adinfo -C" command.
Set up your cluster and make sure your services are running.
Go to Administration-Security and Click Enable Kerberos.
Click Next in the Getting started page.
In the Configure Pages page type the AD domain name in all caps in the Realm Name and in the Kerberos tool path, type the Centrify-enhanced Kerberos tools path (/etc/centrifydc/kerberos/bin).
In the Create Principals and Keytabs page, you'll be shown a table with all the principals per host based on your configuration. Ambari provides a CSV file that can be consumed by a keytab-generating script. In the case of Centrify, you can leverage adkeytab to perform these operations. Here are a few examples of what needs to be done. Note: This example assumes that the person running adkeytab has the rights to create the user principals in Active Directory or in the respective container.
Shared Keytab Example (Ambari) Let's analyze this. a) We will be creating a new account (keep in mind that we can adopt an existing principal) (option --new) b) We will be specifying a UPN (because this keytab will be used to get a Kerberos TGT) (option --upn; e.g. ambari-qa@CORP.CONTOSO.COM) c) We will create a keytab file (option --keytab /path/to/file) d) The AD account will be located in a particular OU (option --container <x.500 notation>). E.g. --container "ou=service-accounts,ou=Unix" e) Verbose output is always recommended (-V) f) The final parameter is the dn (distinguished name) of the account in AD. (e.g. hadoop-ambari-qa) Sample command: adkeytab --new --upn ambari-qa@CORP.CONTOSO.COM --keytab /etc/security/keytabs/smokeuser.headless.keytab --container "ou=hadoop,ou=unix" -V hadoop-ambari-qa Then, the keytab has to be permissioned accordingly: chown ambari-qa:hadoop /etc/security/keytabs/smokeuser.headless.keytab chmod 440 /etc/security/keytabs/smokeuser.headless.keytab
Individual Host Keytab Example (HTTP for hadoop2) Analysis a) We will be creating a new account (keep in mind that we can adopt an existing principal) (option --new) b) We will be specifying a UPN and an SPN (because this keytab will be used to get a Kerberos TGT and a TGS) (options --upn & --principal; e.g. HTTP/hadoop2.corp.contoso.com@CORP.CONTOSO.COM) c) We will create a keytab file (option --keytab /path/to/file) d) The AD account will be located in a particular OU (option --container <x.500 notation>). E.g. --container "ou=service-accounts,ou=Unix" e) Verbose output is always recommended (-V) f) The final parameter is the dn (distinguished name) of the account in AD. (e.g. hadoop-ambari-qa) Sample command: adkeytab --new --upn HTTP/hadoop2.corp.contoso.com@CORP.CONTOSO.COM --principal HTTP/hadoop2.corp.contoso.com@CORP.CONTOSO.COM --keytab /etc/security/keytabs/spnego.service.keytab --container "ou=hadoop,ou=unix" -V hadoop2-http Then, the keytab has to be permissioned accordingly: chown root:hadoop /etc/security/keytabs/spnego.service.keytab chmod 440 /etc/security/keytabs/spnego.service.keytab
Verify that the principals have been created in AD and that the keytabs are in the selected directory with the proper ownership and permissions. In addition, you can use the /usr/share centrifydc/kerberos/bin/kinit -kt command to test the principals for TGT or TGS requests.
Go back to Ambari's security wizard and Apply the changes.
Monitor the services, depending on the performance of your cluster, you may have to start some services manually.
Checking the Implementation
Aside from checking the cluster status, if you're using scripts to automate the add/move/changes of nodes, you need to make sure that those scripts are rock solid.
Adjusting the Implementation
There are many improvements to be gained, and this depends on your security needs and the variety of environments. The most notable is the user-facing apps. Remember that as new environments are spun up and versions of Hadoop change, this process has to be revisited.
Dynamic environments expand and contract based on organizational needs; this means that Unix, Linux, Mac OS X servers and workstations are built and decommissioned frequently. Most recently, public/private cloud elasticity accentuates this issue and having an access controls solution like may end-up adding unnecessary complexity if it's not designed for this reality.
When joining a computer to the domain, the computer name (hostname) may not be known to pre-create the AD account, therefore an an authoritative join is the only choice; the issue here is that an AD account that has the ability to join computers into the domain (OU) and into the Centrify zone is required.
Fortunately, Centrify designed the Server Suite solution tool set with this reality in mind. In this post, we will discuss how to add or remove systems from AD securely leveraging Kerberos keytabs and tools like adjoin and adleave. Like all small projects, we'll use the Plan-Do-Check-Adjust methodology.
Requirements
Scripts should not store plain-text passwords
Tools must be automation-friendly
The least access and least privilege principles must be conserved
The Separation of Duties (SoD) principle must be met
Tools
Active Directory Users and Computers
Centrify CLI tools: adjoin, adleave, adkeytab
Kerberos tools: kinit, kdestroy.
Planning
For a simple example, we'll consider the following planning steps:
Incorporate the Centrify agent bits into the infrastructure image, the agent can be installed and not joined.
An AD Service account with the ability to create, remove (or modify) computer objects to the target domain OU should be created.
That same AD service account should have the rights to join, remove and modify objects in the target Centrify zone.
A Kerberos keytab file needs to be created and securely put in a place where the script can use it. Let's assume that the file will be securely copied to a local drive and deleted upon use. Note: this is important, a Kerberos key table file needs to be to be treated with the same sensitivity as a private key. They are not to be left behind on systems even if the account has been properly secured.
In addition to the keytab file, a krb5.conf file with the correct settings needs to be deployed to the unjoined system so the Kerberos tools can find a KDC (AD DC)
Naming conventions for the service account and the hostname need to be pre-established. Keep in mind that computer account names have length limitations.
An AD OU for Unix/Linux or Mac computers is required to limit the scope of where the join account can perform joins.
Implementation (Do)
AD Join service account setup (1-time steps)
Create the Active Directory service account by using ADUC. Make sure that the account and its password do not expire. In this example we'll use "ad-joiner" and the domain is corp.contoso.com
In Active Directory users and computers, use the Delegate Control wizard to delegate the ability to create and delete computer objects.
In the target Centrify zone, use the Delegate Zone Control wizard to give the service account the rights to join, remove and modify computers in the zone.
In a Centrified system, use the adkeytab with the adopt option to create the Kerberos keytab file and randomize the password. This will be performed with the root account so it is protected by that account.
In order to verify that the keytab file works and can join or remove a system, you need an unjoined Unix, Linux or Mac system with the Centrify agent installed.
Log into the system with a local account (that can elevate)
Make the keytab file securely accessible.
Copy the /etc/krb5.conf file from a working Centrified system to the local system: scp <account>@centrified.system:/etc/krb5.conf /etc/krb5.conf
Use the kinit command with the kt option to get a ticket-granting-ticket as the ad-joiner account. /usr/share/centrifydc/kerberos/bin/kinit ad-joiner -kt ad-joiner.keytab
Use the adjoin command without specifying the user option. Adjoin is Kerberized and it will use the ad-joiner's ticket-granting ticket. # adjoin -z Model -c "ou=servers,ou=unix" corp.contoso.com Using domain controller: dc2.corp.contoso.com writeable=true Join to domain: corp.contoso.com, zone: Model succesful
Centrify DirectControl started Initializing cache
At this point the computer has joined the domain.
You can use it for the reverse with adleave. # adleave -r Using domain controller: dc2.corp.contoso.com writeable=true Left domain. Centrify DirectControl stopped.
Adjusting the Process
There are many opportunities to adjust this process and make it better. Here are some examples:
The process can be part of a script that specifies things like zones, computer roles, etc.
ADEdit can be used to pre-create the account in the zone and move the computer to the proper computer role.
The keytab can be deleted from the local host as part of the script termination process process
Active Directory provides a Kerberos environment. We have written extensively about Kerberos capabilities in this blog. We also have explained that Centrify provides tight integration with Microsoft's Kerberos AD implementation by way of their MIT-Kerberos libraries and tools. The advantage of using Centrify's tool set is that the tools are extensively tested against Microsoft's implementation.
A Kerberos key table (or "keytab") file is "is a file containing pairs of Kerberos
principals and encrypted keys (these are derived from the Kerberos
password)."(1).
Kerberos keytab files can help overcome two major issues:
The security requirement of not having plain-text passwords in scripts or helper files.
The increasing IT Infrastructure requirement for automation. The proliferation elastic computing by way of private and public clouds requires that IT adds or reduces capacity on demand in a secure way.
Kerberos Keytabs 101
In a Kerberos environment, each system has at least one keytab table stored on disk. The keytab table lists the service principals and provides at least one key for each of those service principals (/etc/krb5.keytab by default). Remember that principals typically follow the "service@host/REALM" format.
End-users also have Kerberos files, but they are temporary (by default 10 hours), they are stored as a Kerberos cache file (by default /tmp/krb5cc_<uid of the user>), they list any user principals.
When working with a Centrified system, the location of the Centrify-enabled Kerberos tools is /etc/centrifydc/kerberos/bin.
Quick primer on basic Kerberos tools:
kinit: is used to obtain a kerberos ticket-granting-ticket
Keytabs are Sensitive/Confidential information: A Security Procedure needs to be established for the handling of keytabs, because whoever has the keytab can authenticate as the principal used to create it. As a tip, this process should be viewed with the same sensitivity as the handling of private keys.
Using Kerberos Tools
Kerberos tools are great for troubleshooting purposes.
Testing end-to-end AD connectivity and account availability with kinit (e.g. accunt jerry.seinfeld) # /usr/share/centrifydc/kerberos/bin/kinit jerry.seinfeld Password for jerry.seinfeld@CORP.CONTOSO.COM: You are prompted for the user's password. The benefit of this test that it bypasses the NSS, PAM and authorization modules. This means that any user in AD can be tested with kinit.
Listing the contents of a keytab or cache file with klist
For systems # /usr/share/centrifydc/kerberos/bin/klist -kt krb5.keytab Keytab name: FILE:krb5.keytab KVNO Timestamp Principal ---- ----------------- ---------------------------------- 3 05/17/14 22:22:55 host/cen1@CORP.CONTOSO.COM
Note: By default, during a system join (with adjoin) Centrify will automatically register service principals for http ftp cifs nfs, this parameter is controlled by the adclient.krb5.service.principals directive of the centrifydc.conf file.
Valid starting Expires Service principal 08/24/14 14:07:02 08/25/14 00:07:04 krbtgt/CORP.CONTOSO.COM@CORP.CONTOSO.COM renew until 08/25/14 14:07:02 Notice that this is a Kerberos Ticket Granting Ticket (krbtgt).
Ticket-Granting-Tickets vs. Service Tickets
Depending on how the application is using the keytab, it's possible that it will request a ticket-granting ticket (TGT), or a service ticket. Generally, a TGT is given upon a session log-in; a service ticket is requested when a user attempts to access a service on the network. The key here is that a principal without a servicePrincipalName (SPN) can't be used to request a service ticket. This changes how the AD principal is created.
The example above shows how to request a TGT. This example, shows how to test a keytab for a service ticket:
First, we check if the account has a servicePrincipalName (e.g. db2inst1)
Notice that this is not a KRBTGT, but a service ticket.
Using Centrify Tools for Kerberos-related operations
adinfo (with the C option) can be used to review the system service principals, and encryption level. Remember that the latter is set by the domain controller functional level. $ adinfo -C Computer Account Diagnostics Joined as: cen1 Trusted for Delegation: false Use DES Key Only: false Key Version: 6 Service Principal Names: nfs/cen1.corp.contoso.com nfs/cen1 ipp/cen1.corp.contoso.com ipp/cen1 http/cen1.corp.contoso.com http/cen1 host/cen1.corp.contoso.com host/cen1 ftp/cen1.corp.contoso.com ftp/cen1 cifs/cen1.corp.contoso.com cifs/cen1 afpserver/cen1.corp.contoso.com afpserver/cen1 Supported Encryption Type(s): RC4-HMAC AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96 Operating System Version: 6.1:6.5 (Final)
Adkeytab
adkeytab, is arguably one the most powerful command line tools provided by Centrify. When used in tandem with scripts and the Kerberos tools it can help to increase security and provide flexibility in automation scenarios. It has the ability to provision, deprovision and modify server and user principals. Aside from adedit, adkeytab contains the largest command reference.
adkeytab - create and manage Kerberos key tables (*.keytab files)and coordinate changes with the Kerberos key distribution center(KDC) provided by Active Directory.
I will try to highlight some benefits of using adkeytab:
It can be used to create or adopt AD principals: adkeytab can create the user in AD for you, or in a separation of duties scenario, the UNIX/Linux admin can adopt the account provided he has the appropriate rights to modify the AD account.
It randomizes the AD account's password: The major issue with service accounts it that they are considered a shared account since at least one person (the creator or the user) knows the password. With adkeytab it's possible to randomize the password of the AD account, effectively minimizing the need for aggressive password rotation.
Can be fully automated: adkeytab can be used with your scripts to perform operations. This helps with elastic or private clouds.
It's Kerberized! what that means is that you can use a keytab to use adkeytab - this is great for automation.
Syntax can be tricky - there are so many options that it can be overwhelming for beginners; my tips are to use the long for options (e.g. --adopt) and verbose output.
Fixes stale AD computer accounts: It can be used to reset the machine computer account. Just elevate to use the adkeytab command with the -C (--change-password). The output below uses the local system's computer account (--machine) in AD to reset the computer's password in AD.
$ dzdo adkeytab --change-password --machine -V
Attempting bind to centrifyimage.vms site:Demo-Site server:dc.centrifyimage.vms: ccache:FILE:/etc/krb5.ccache
Bind successful to server dc.centrifyimage.vms
Searching for AD Object: filter = (samAccountName=engcen5$), root = DC=centrifyimage,DC=vms
AD Object found: CN=engcen5,OU=UNIX-Servers,OU=Unix,DC=centrifyimage,DC=vms
Key Version = 21
Changing account 'engcen5' password with machine credentials.
Searching for AD Object: filter = (samAccountName=engcen5$), root = DC=centrifyimage,DC=vms
AD Object found: CN=engcen5,OU=UNIX-Servers,OU=Unix,DC=centrifyimage,DC=vms
Key Version = 22
Success: Change Password: Default Key Tab
The posts below, cover scenarios that use Kerberos key table files: