Using Kerberos Authentication

    HAWQ supports Kerberos at both the HDFS and/or user authentication levels. You will perform distinct configuration procedures for each.

    Kerberos provides a secure, encrypted authentication service. It does not encrypt data exchanged between the client and database and provides no authorization services. To encrypt data exchanged over the network, you must use an SSL connection. To manage authorization for access to HAWQ databases and objects such as schemas and tables, you assign privileges to HAWQ users and roles. For information about managing authorization privileges, see Overview of HAWQ Authorization.

    • System time on the Kerberos server and HAWQ hosts is synchronized. (For example, install the package on both servers.)
    • Java 1.7.0_17 or later is installed on all nodes in your cluster. Java 1.7.0_17 is required to use Kerberos-authenticated JDBC on Red Hat Enterprise Linux 6.x or 7.x.

    • You can identify the Key Distribution Center (KDC) server you use for Kerberos authentication and the Kerberos realm in which your cluster resides.

      • If you plan to use an MIT Kerberos KDC Server but have not yet configured it, see for example instructions.

    Note: HAWQ supports Active Directory KDC servers only for Ambari-managed clusters. HAWQ does not support command-line-managed clusters employing an Active Directory KDC server.

    Procedure

    You can configure Kerberos for HAWQ for secure HDFS and for user authentication. You will perform different procedures for each: