A little while back, I wrote about integrating Cloudera Manager with the Centrify LDAP Proxy for external authentication. If you've configured your Cloudera cluster with this option, the next logical step may be SSO, MFA and external access. Typing in credentials and using VPN when off-network is never much fun so today we're going to cover adding a simple username and password application to Centrify Identity Service to take our Active Directory authentication to the next level.
Note: Cloudera is the only Hadoop vendor that also supports SAML authentication but that requires reconfiguring the entire external authentication stack plus some SAML assertion scripting so we'll stick to the easy stuff today.
Step One: Configure Cloudera Manager to use the Centrify LDAP Proxy for external authentication. This is documented in my previous blog so if this isn't done yet, follow those steps and then return here for step two.
Step Two: Create and publish a new Centrify Identity Services app.
1) Log into your Centrify Identity Services tenant with an administrative account.
2) Switch to the Admin Portal by selecting it from the drop-down box on your name in the top right corner of the user portal.
3) Select Apps on the main menu bar.
4) We're going to create a new App from scratch using a generic template so click on Add Web Apps, Custom, User-Password. Select Add and you can begin filling out the various preferences for your new application. Complete as follows:
- Under Application Settings, enter the url: http://yourhost.yourdomain.com:7180/j_spring_security_check. Cloudera (and I) recommend you first enable TLS for at least Cloudera Manager to add HTTPS support. If you have followed Cloudera instructions for doing so, configure your url with https instead of http. For this example, either will work.
- Under Description, type in Cloudera Manager (Clustername) for Application Name, add a description and a category, and select a logo for your application. I just Googled "cloudera icon" under images and snagged a square 200x200 Cloudera icon.
- Under User Access, select the role or roles where you wish to publish your new application.
- Under Policy, you have the option to configure MFA policies. There are plenty of Centrify blogs which detail how to configure multi-factor so I'll defer to those.
- Under Account Mapping, select whether you want each user to enter/store their own personal AD or Cloudera Manager database credentials or obfuscate a shared credential (e.g. admin:HopefullySomePasswordOtherThanTheDefaultOfAdmin) that will be entered when they click on the application tile.
- Under Advanced, replace the default script with the following lines:
- Optional: Under App Gateway, configure your application for VPN-less access from outside the network.
That's it! Click Save to publish your new app. If you required each user to enter/store their credentials, they will be prompted at first use to enter their personal credentials. From then on, you will have SSO from your Centrify user portal. While you're at it, you can also add Centrify Privilege Service resource tiles for your nodes to give you secure remote ssh access and shared credential (e.g. root) check-in/check-out all in one portal.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.