未加星标

How-to: Deploy a Secure Enterprise Data Hub on Microsoft Azure Part 1

字体大小 | |
[系统(windows) 所属分类 系统(windows) | 发布者 店小二04 | 时间 2017 | 作者 红领巾 ] 0人收藏点击收藏

Learn how to use Cloudera Director, Microsoft Active Directory (AD DS, AD CS, AD DNS), SAMBA, and SSSD to deploy a secure EDH cluster for workloads in the public cloud.

Authenticating users in Apache Hadoop is the first line of security we recommend. Like most, if not all RDBMS, a user is provided with a username and a password to validate their identity. This is a requirement to access any data managed by those systems. The goal is the same in Apache Hadoop. Since the Hadoop stack does not have an authentication component, Kerberos Key Distribution Center is used as the mechanism to identify users.

There are two implementations of a Kerberos KDC that are supported on a CDH cluster: A MIT KDC installation, and/or integration with Microsoft Active Directory (AD) built-in Kerberos KDC. Generally, the latter is recommended to our enterprise customers and the blog will focus on a direct integration of CDH and the Active Directory KDC. This integration is favored because of other tools that will be used to communicate with Active Directory.

Active Directory

Active Directory is mainly known for its Domain Service (AD DS) service as an Identity Management service which authenticates users and groups. However, there are other powerful services within AD like AD CS, and AD DNS.

On May 6, 2016 , my colleague, Ben Spivey wrote a blog on securing a cluster on Amazon AWS. He covered a great deal on the AD DS and AD CS services. For more details, Ben’s blog is a good place to start. This blog will spend more time on AD DNS service.

Active Directory Domain Name System

Deploying a CDH cluster requires both forward and reverse name resolution for internal IP addresses. When deploying a cluster on-premises, this is usually done by your system administrator. When you deploy a cluster on Amazon AWS, this is automatically configured when you launch an EC2 instance.

A forward DNS lookup is resolving a Fully Qualified Domain Name (FQDN) to an IP address, and a reverse DNS lookup is doing the opposite, resolving an IP address to a FQDN. Currently, Microsoft Azure does not provide reverse DNS lookup for internal private IP addresses. This will be covered later.

There are many options for DNS when deploying on Azure. You can install the supported BIND package for your linux OS, an existing Active Directory Domain Name System, etc. This blog will cover the AD DNS in more details.

If not already configured, ensure your AD administrator has properly configured a reverse DNS zone in the DNS Manager as seen below.

Reverse Zone
How-to: Deploy a Secure Enterprise Data Hub on Microsoft Azure   Part 1

The important section in the figure above, is the red box in the “Reverse Lookup Zones”. This illustrates the zone configured to host all the DNS objects for a particular subnet.

Forward Zone
How-to: Deploy a Secure Enterprise Data Hub on Microsoft Azure   Part 1

This is a view of the “Forward Lookup Zones” for the CLOUDERA.MORANTUS.COM domain.


How-to: Deploy a Secure Enterprise Data Hub on Microsoft Azure   Part 1

Also a view of my OU tree showing zero entries

Azure Virtual Machine

I provisioned a VM in Azure with all the default DNS settings, and we will join it to our AD DS and DNS services.


How-to: Deploy a Secure Enterprise Data Hub on Microsoft Azure   Part 1
As you can see, the hostname -f command displays a very long FQDN for my VM and hostname -i gives us the IP address associated with the VM. Next, I did a forward DNS lookup using the host FQDN command, which resolved to the IP address. Then, I did a reverse DNS lookup using host IP address as shown in the red box above, it did not locate a reverse entry for that IP address. A reverse lookup is a requirement for a CDH deployment. We’ll revisit this later.

SAMBA

In order to configure our RHEL 6.7 VM to communicate with Active Directory, we need to configure a tool called samba. Samba is a Linux based utility that enables the integration of Linux systems with AD.

Join the VM to AD with Samba

Ensure the DNS servers property for your Virtual Network in the Azure portal is pointed to your AD server.
How-to: Deploy a Secure Enterprise Data Hub on Microsoft Azure   Part 1
Install packages needed to integrate with AD sudoyuminstall -y samba-commonkrb5-workstationopenldap-clients Configure the VM to point to the AD DNS server
How-to: Deploy a Secure Enterprise Data Hub on Microsoft Azure   Part 1

The nameserver is the IP address for the AD server. This can also be accomplished by running “service network restart” on the VM

Configure samba to join the AD domain and verify the entry in AD. This must be executed as a privileged user. In this case “jmorantus” is an admin account in Active Directory.
How-to: Deploy a Secure Enterprise Data Hub on Microsoft Azure   Part 1
Note: You can ignore the failed DNS update error showed above. We need to create a Kerberos keytab with a privileged account to update/create DNS objects in AD. This step will be executed later.
How-to: Deploy a Secure Enterprise Data Hub on Microsoft Azure   Part 1

As you can above, we succeeded joining our VM to the AD domain and an AD object was created in the OU servers.

Configure Kerberos krb5.conf file to generate keytab file to update DNS in AD
How-to: Deploy a Secure Enterprise Data Hub on Microsoft Azure   Part 1
Update/Create Forward and Reverse DNS entries
How-to: Deploy a Secure Enterprise Data Hub on Microsoft Azure   Part 1

View of Forward DNS entry added to AD DNS service


How-to: Deploy a Secure Enterprise Data Hub on Microsoft Azure   Part 1

View of reverse DNS entry added to AD DNS service.

Note: it’s worth mentioning that Active Directory will age DNS entries that it considers “inactive”. An additional process should be implemented to keep these entries “alive” in AD.

SSSD

The System Security Service Daemon is used to cache users and groups information locally to a Linux system. This integration is also necessary to configure authorization with Apache Sentry for data access.


How-to: Deploy a Secure Enterprise Data Hub on Microsoft Azure   Part 1
Now that SSSD is fully configured, we’ll

本文系统(windows)相关术语:三级网络技术 计算机三级网络技术 网络技术基础 计算机网络技术

主题: LinuxHadoopMBAAMBANTU
分页:12
转载请注明
本文标题:How-to: Deploy a Secure Enterprise Data Hub on Microsoft Azure Part 1
本站链接:http://www.codesec.net/view/522646.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(windows) | 评论(0) | 阅读(59)