Tuesday, August 26, 2014

Using Active Directory and Centrify to Accelerate your Linux-based Hadoop Big Data Deployments

Update

Updated whitepapers from August 2015:
This playlist also explains the challenges at the OS Level:


*********************************************************************************
As of February 2015 Centrify is gearing-up to release Centrify Suite 2015, with it, enhancements specific to Hadoop deployments are being released.  To complement these efforts, integration guides for Cloudera, Hortonworks and MapR are being released, here are the first two:


These are more robust and well-researched papers.  The article below from August 2014 will be left there for history purposes, but the post and the accompanying video outdated.
*********************************************************************************

Background

Big Data is one of the fastest spreading IT trends in the enterprise today, it's also a big reason why IT infrastructures have to provide elastic and secure infrastructures. Apache Hadoop (with value-added by Cloudera, Hortonworks, MapR, IBM and others) is gaining a lot of traction in enterprises that are looking to adopt Big Data.

What does this mean to the IT Infrastructure Manager?
  • More Linux servers
  • Need for more effective management
  • More systems that need to be aligned with security practices
  • Depending data classification,  a mature access management model that allows the enforcement of the principles of least access, least privilege, separation of duties, quick attestation and optionally session capture and replay is required.
Customers of Centrify know that all the bullets above are not an issue with properly Centrified (*) systems.

(*) A mature Centrify deployment has no systems in Express mode,  has discontinued the use of Classic zones and archaic provisioning methods like ZoneGen, and finally is using RBAC via Centrify-enhanced sudo.

Recommendations:

  • If you are not familiar with terms like Kerberos authentication, keytabs, servicePrincipalName (SPN), userPrincipalName (UPN) and some of the differences between MIT Kerberos and Microsoft Kerberos, I recommend that you familiarize with those topics.
  • From a Hadoop perspective, leverage Hortonworks/Cloudera/MapR/IBM's professional services organizations.  Hadoop is a broad topic and in my observation successful implementations have one thing in common:  they get expert help.  You are busy enough as it is just keeping-up with the day-by-day.
  • Keep in mind, the reason why we introducing Active Directory as an alternative to a stand-alone MIT Kerberos is for a simple reason: to eliminate duplication of capabilities.  If you go the MIT Kerberos route, this means that you have to maintain two different technology environments + process + people implications. This just doesn't make sense.
  • If you feel comfortable with the topics above, you at least need to understand what the adkeytab utility is.  This post covers adkeytab.

Centrify & AD = Faster Hadoop Implementation

If you've been following this blog, you probably realize the focus on Access Controls and to leverage your existing infrastructure (AD);  this extends to Hadoop deployments as well.  Because:
  • You already would have solved the Access and Privilege governance model at the OS level.
  • You don't need to add more complexity to your environment to enable Hadoop Security.
If you don't have a mature access and privileged model like local accounts or shared accounts, you don't want to continue to propagate the problem.

Hadoop Infrastructure Security 101
InfoQ does a much better job in this article discussing Hadoop's security evolution.  I will focus on a small piece: internal authentication.

Hadoop leverages MIT Kerberos to enable security by Kerberizing its services.  With Kerberos no passwords go through the wire and there are compensating controls for confidentiality, integrity and other threats.    

What is the impact?
Hadoop providers will ask you to stand-up an MIT Kerberos environment to support your BigData deployment;  a very simple ask, but with a large impact to the enterprise.  Things to take into account:
  • Kerberos infrastructure - additional services that need to be highly available.
  • Additional process - add/moves/changes of principals as the nodes expand/contract/change
  • Potentially a Kerberos trust:  If you want to leverage AD, you may need into the business of a Kerberos trust into AD.  At least one provider has a recipe for this.
  • Push-back:  Believe it or not, the idea of an additional authentication infrastructure is not going to be welcome by some IT groups.
This is where Centrify can help.  Centrify provides the Kerberos environment and tools, services and utilities to extend your access model and accelerate the Hadoop deployment.  With that in mind, let's apply the Plan-Do-Check-Adjust model.

Note:  Keep in mind, Hadoop follows the MIT kerberos implementation to the letter. This means that there's no concept of multiple service principal names tied to an account (Unlike AD), therefore as of today, that implies that some services will require one account per service per node.   I repeat now in AD terms:  One AD Account/Keytab, Per Service, Per Node.  This is where utilities like adkeytab can help in the automation process.

Number of Accounts (Keytabs) = Shared Service Accounts + (Nodes * Unique Service Accounts)

E.g.  If you have a 50-node cluster that has 2 services that can share the same account/keytab and 5 services that require unique accounts/keytabs, this means that you will have 2 + 50*5 = 252 AD accounts/unique keytabs.

Believe it or not, the easy part is the technology, the hard part is the process and the automation required.

Planning to Secure your Hadoop Services with Centrify

Infrastructure vs. User Apps: 
Kerberizing the servies like HDFS, MapReduce, Hive, Zookeeper, etc is just one piece of the puzzle, the user-level apps may have different access models.  Many use OS users and groups and Centrify will have you covered, but this is a different design session.
  • What is the access model at the OS level? (may imply a different zone or set of computer groups)
  • What are the privileges (commands) for a Hadoop operator? (remember, with Centrify there's no need to share privileged account credentials) - continue to enforce the least privilege model with Centrify RBAC
  • Just like the Centrify agent, deploying Name Server Cache Daemon can improve performance.
  • Have a rock-solid naming convention for:
    • AD account names:  remember the 20 character limit.  Make sure that you can identify these accounts correctly in AD.   Use a dedicated OU if you have a large cluster.  Something like Environment-server-service general-to-specific can work.  E.g. "mktqa-had01-spnego"
    • Keytab location and naming:  
  • Keytab protocol:
    • Secure based on requirements at rest.
    • Always transport securely
    • Keep keytabs where they are needed ONLY.
    • Will the user accounts in AD have non-expiring randomized passwords or will the passwords be randomized after a period of time?
  • Does the account used for AD Service account/keytab generation have the proper rights in AD to create those users/principals?
  • What will be the automation strategy?  Remember, using cleartext passwords in scripts or other facilities is a NO-NO, but adkeytab is kerberized;  therefore you may need to provision a service account with the proper rights in AD and a keytab to be able to launch adkeytab in the automation script.
  • How are you implementing Hadoop?  Is your team being trained?  Succesful implementations (just like with Centrify) make use of consulting services;  so leverage your Hortonworks, Cloudera or IBM experts.  After all, how many Hadoop (or Centrify) deployments have you implemented?  How much pure Kerberos knowledge do you have?  

Implementation

In this example, we'll use Hortonworks Hadoop Ambari 1.6.x to enable Kerberos in a cluster.  The domain is corp.contoso.com, the OU for service accounts is UNIX\Hadoop and the naming convention is servername-servicename.
  1. Set up your system and join it to AD.  Make sure you don't register an SPN for http because it will be used by Hadoop.  This can be done:
    - Prior to the join:  by editing the /etc/centrifydc/centrifydc.conf and modifying the adclient.krb5.service.principals  directive and removing http.  E.g.
    - After the join: Remove the SPN with  ADUC or with adkeytab with the -x (delspn) option.
    adkeytab --delspn --principal http/hadoop1.corp.contoso.com -V
    Remember that you can check the service principals with the "adinfo -C" command.
  2. Set up your cluster and make sure your services are running.
  3. Go to Administration-Security and Click Enable Kerberos.
  4. Click Next in the Getting started page.
  5. In the Configure Pages page type the AD domain name in all caps in the Realm Name and  in the Kerberos tool path, type the Centrify-enhanced Kerberos tools path (/etc/centrifydc/kerberos/bin).
  6. In the Create Principals and Keytabs page, you'll be shown a table with all the principals per host based on your configuration.

    Ambari provides a CSV file that can be consumed by a keytab-generating script.  In the case of Centrify, you can leverage adkeytab to perform these operations.  Here are a few examples of what needs to be done.  Note:  This example assumes that the person running adkeytab has the rights to create the user principals in Active Directory or in the respective container.
    1. Shared Keytab Example (Ambari)
      Let's analyze this.
      a) We will be creating a new account (keep in mind that we can adopt an existing principal) (option --new)
      b) We will be specifying a UPN (because this keytab will be used to get a Kerberos TGT) (option --upn;  e.g. ambari-qa@CORP.CONTOSO.COM)
      c) We will create a keytab file (option --keytab /path/to/file)
      d) The AD account will be located in a particular OU  (option --container <x.500 notation>).  E.g. --container "ou=service-accounts,ou=Unix"
      e) Verbose output is always recommended (-V)
      f) The final parameter is the dn (distinguished name) of the account in AD.  (e.g. hadoop-ambari-qa)
      Sample command:
      adkeytab --new --upn ambari-qa@CORP.CONTOSO.COM --keytab /etc/security/keytabs/smokeuser.headless.keytab --container "ou=hadoop,ou=unix" -V hadoop-ambari-qa
      Then, the keytab has to be permissioned accordingly: 
      chown ambari-qa:hadoop /etc/security/keytabs/smokeuser.headless.keytab
      chmod 440 /etc/security/keytabs/smokeuser.headless.keytab
    2. Individual Host Keytab Example (HTTP for hadoop2)
      Analysis
      a) We will be creating a new account (keep in mind that we can adopt an existing principal) (option --new)
      b) We will be specifying a UPN and an SPN (because this keytab will be used to get a Kerberos TGT and a TGS) (options --upn & --principal;  e.g. HTTP/hadoop2.corp.contoso.com@CORP.CONTOSO.COM)
      c) We will create a keytab file (option --keytab /path/to/file)
      d) The AD account will be located in a particular OU  (option --container <x.500 notation>).  E.g. --container "ou=service-accounts,ou=Unix"
      e) Verbose output is always recommended (-V)
      f) The final parameter is the dn (distinguished name) of the account in AD.  (e.g. hadoop-ambari-qa)
      Sample command:
      adkeytab --new --upn HTTP/hadoop2.corp.contoso.com@CORP.CONTOSO.COM --principal HTTP/hadoop2.corp.contoso.com@CORP.CONTOSO.COM --keytab /etc/security/keytabs/spnego.service.keytab --container "ou=hadoop,ou=unix" -V hadoop2-http
      Then, the keytab has to be permissioned accordingly: 
      chown root:hadoop /etc/security/keytabs/
      spnego.service.keytab
      chmod 440 /etc/security/keytabs/spnego.service.keytab
  7. Verify that the principals have been created in AD and that the keytabs are in the selected directory with the proper ownership and permissions.  In addition, you can use the /usr/share centrifydc/kerberos/bin/kinit -kt command to test the principals for TGT or TGS requests.

  8. Go back to Ambari's security wizard and Apply the changes.
  9. Monitor the services, depending on the performance of your cluster, you may have to start some services manually.

Checking the Implementation

Aside from checking the cluster status, if you're using scripts to automate the add/move/changes of nodes, you need to make sure that those scripts are rock solid.  

Adjusting the Implementation

There are many improvements to be gained, and this depends on your security needs and the variety of environments.  The most notable is the user-facing apps.  Remember that as new environments are spun up and versions of Hadoop change, this process has to be revisited.

6 comments:

  1. Hi,

    I am working with a customer to enable Kerberos with AD/Centrify directly on Hortonworks HDP 2.x, and looking for guide to enable Kerberos with existing AD directly. Is there any guide you can share for the same?

    Thanks,
    Pardeep

    ReplyDelete
  2. If your customer is using Centrify for access controls on Linux there's plenty of resources out there including this post. Centrify includes MIT Kerberos libraries and utilities optimized to work with AD, this makes it easy to create keytabs and control access. Unfortunately if you're not using Centrify then you probably have to go the route of RedHat IdM (FreeIPA) and their SSSD client which is basically a new Kerberos realm and a trust relationship. Unfortunately in environments that capability duplication is not well received you may get push back.

    ReplyDelete
  3. Would it be possible to refresh this page and do a version for Hortonworks Hadoop Ambari 2.0
    This used Kerberos a bit differently because it attempts to automate keytab and account creation. It seems to require an admin account on a KAdmin. Does such a thing exist in Centrify?

    ReplyDelete
  4. You need to use the CSV generated by Ambari (or Cloudera Manager/Map R) and use that as inputs for adkeytab (centrify utility) to create your AD service accounts and generate the appropriate keytabs.

    As far as your request goes, can you add it to David's post on Hortonworks-Centrify in the Centrify Community page? The URL is: http://community.centrify.com/t5/Centrify-Server-Suite/Identity-and-Access-Management-for-Hortonworks-Data-Platform/ba-p/19797

    My posts are based on what my customers are asking, and at this point they're requesting ServiceNOW integration, 2 Factor Auth, Automation and the Newly-released CPS service.

    Keep in mind that this post was declared obsolete, the canon are the 3 whitepapers released by Centrify for Hortonworks, Cloudera and MapR.

    ReplyDelete
  5. I am afraid that your information - and that of the Hortonworks white paper you linked to is out of date. What you describe only works with Ambari 1.x and not 2.x which is what I have to use now.
    I have registered with the Centrify Community and am trying to post there - but I don't seem to have permissions.
    A BIG thanks for the URL for that post

    Keep up the great work.

    ReplyDelete
  6. Yes, you are right and I acknowledge that the post is out of date; unfortunately and since Ambari 2 was released in April (we are in may as I post this) there's no refreshed documentation based on that version. I've communicated to PMs that these integration guides are alive and that the lifecycle needs to be managed. I also happen to know that Centrify will be working on this next month and a document should follow. I will see if in my spare time I can check-out HDP 2x and hopefully my laptop can run at least a 2-node cluster.

    ReplyDelete