Kyuubi Authentication Mechanism

In a secure cluster, services should be able to identify and authenticate callers. As the fact that the user claims does not necessarily mean this is true.

The authentication process of kyuubi is used to verify the user identity that a client used to talk to the kyuubi server. Once done, a trusted connection will be set up between the client and server if successful; otherwise, rejected.

Note

This only authenticate whether a user or client can connect with Kyuubi server or not using the provided identity. For other secured services that this user wants to interact with, he/she also needs to pass the authentication process of each service, for instance, Hive Metastore, YARN, HDFS.

The related configurations can be found at Authentication Configurations

• Configure Kyuubi to use Kerberos Authentication
  • Kerberos Overview
  • Enable Kerberos Authentication
• Configure Kerberos for clients to Access Kerberized Kyuubi
  • Instructions
  • Install Kerberos Client
  • Configure Kerberos Client
  • Get Kerberos TGT
  • Add Kerberos Client Configuration File to JVM Search Path
  • Add Kerberos Ticket Cache to JVM Search Path
  • Ensure core-site.xml Exists in Classpath
  • Connect with JDBC URL
• Configure Kyuubi to use LDAP Authentication
  • Enable LDAP Authentication
  • User and Group Filter in LDAP
• Configure Kyuubi to Use JDBC Authentication
  • Enable JDBC Authentication
  • Configure the authentication properties
  • Authentication with In-memory Database
• Configure Kyuubi to use Custom Authentication
  • Build A Custom Authenticator
  • Enable Custom Authentication