Configure Kerberos#
Introduction#
Kerberos is a network authentication protocol that allow nodes to communicating over a non-secure network to prove their identity to one another in a secure manner. This tutorial shows an administrator how to configure Kerberos authentication.
Kerberos need some server configuration before you can enable it from the UI.
Prerequisites#
A server configured with Kerberos. See Server Configuration for Kerberos for instruction on how to do this.
Step 1: Enable Kerberos#
After configuring the server you can configure Authentication methods by clicking on your name in the top right corner of the navigation bar and choosing Cluster Settings from the dropdown menu. In the Authentication tab you can find in Cluster Settings, you can enable Kerberos by clicking on the Kerberos checkbox.
If LDAP/Kerberos checkbox is not checked, make sure that you configured your application server and enable it by clicking on the checkbox.
Step 2: Edit configuration#
Finally, click on edit configuration and fill in the attributes.
- Account status: the status a user will be assigned when logging in for the first time. If a user is assigned a status different from Activated an admin needs to manually activate each user from the User management.
- Group mapping: allows you to specify a mapping between LDAP groups and Hopsworks groups. The mapping is a semicolon separated string in the form
Directory Administrators->HOPS_ADMIN;IT People-> HOPS_USER
. Default is empty. If no mapping is specified, users need to be assigned a role by an admin before they can log in. - User id: the id field in LDAP with a string placeholder. Default
uid=%s
. - User given name: the given name field in LDAP. Default
givenName
. - User surname: the surname field in LDAP. Default
sn
. - User email: the email field in LDAP. Default
mail
. - User search filter: the search filter for user. Default
uid=%s
. - Principal search filter: the search filter for principal name. Default
krbPrincipalName=%s
. - Group search filter: the search filter for groups. Default
member=%d
. - Group target: the target to search for groups in the LDAP directory tree. Default
cn
. - Dynamic group target: the target to search for dynamic groups in the LDAP directory tree. Default
memberOf
. - User dn: specify the distinguished name (DN) of the container or base point where the users are stored. Default is empty.
- Group dn: specify the DN of the container or base point where the groups are stored. Default is empty.
All defaults are taken from OpenLDAP.
Note
Group mapping can be disabled by setting ldap_group_mapping_enabled=false
in the Configuration UI. When group mapping is disabled an administrator needs to activate each user from the User Management page.
If group mapping is disabled then Account status in the Kerberos configuration above should be set to Verified
.
The login page will now have the choice to use Kerberos for authentication.
Note
Make sure that you have Kerberos properly configured on your computer and you are logged in. Kerberos support must also be configured on the browser to use Kerberos for authentication.