Shulou(Shulou.com)06/01 Report--

This article mainly shows you "how to use SAML in Cloudera Manager to configure authentication", the content is easy to understand, clear, hope to help you solve your doubts, the following let Xiaobian lead you to study and learn "how to use SAML in Cloudera Manager to configure authentication" this article.

How to configure authentication using SAML in Cloudera Manager.

Cloudera Manager supports Security Declaration markup language (SAML), an open standard data format based on XML that is used to exchange authentication and authorization data between parties, especially between identity providers (IDP) and service providers (SP). The SAML specification defines three roles: Principal (usually the user), IDP, and SP. In the use case solved by SAML, the principal (user agent) requests services from the service provider. The service provider requests and obtains the identity declaration from the IDP. Based on this assertion, the SP can make access control decisions, in other words, it can decide whether to perform certain services for the connected Principal. The main use case for SAML is called Web browser single sign-on (SSO). Users using user agents (usually Web browsers) request SAML SP-protected Web resources. SP wants to know the identity of the user who made the request, so it sends an authentication request to SAML IDP through the user agent. In the context of this term, Cloudera Manager acts as a SP. This topic discusses the Cloudera Manager part of the configuration process. It assumes that you are familiar with SAML and SAML configuration in general and that you have deployed a valid IDP. Note that Cloudera Manager supports SSO initiated by SP and IDP. The logout operation in Cloudera Manager sends a logout request to IDP. SAML authentication has been tested with specific configurations of SiteMinder and Shibboleth. Although SAML is standard, configurations vary greatly between different IDP products, so other IDP implementations or other configurations of SiteMinder and Shibboleth may not be interoperable with Cloudera Manager. To bypass SSO if SAML is not configured correctly or does not work, you can use URL to log in using the Cloudera Manager local account: http:// cm_host: 7180/cmf/localLogin

To prepare files, you will need to prepare the following files and information and provide them to Cloudera Manager:

Java Keystore, which contains the private key used by Cloudera Manager to sign / encrypt SAML messages. For instructions on creating a Java Keystore, see understanding Keystore and truststore. SAML metadata XML file in IDP. The file must contain the public certificate required to authenticate the signature / encryption key used by IDP against the SAML metadata interoperability profile. For example, if you are using Shibboleth IdP, the metadata file is located in the following location: https://:8080/idp/shibboleth. Note instructions on how to obtain metadata XML files from IDP, contact your IDP administrator or consult the documentation for information about the version of IDP you are using. The entity ID used to identify the Cloudera Manager instance passes the user ID:o as an attribute in the SAML authentication response. If so, what identifier is used. O as NameID. How to establish a Cloudera Manager role: O from the attribute in the authentication response: what identifier the attribute will use and what value will be passed to indicate each role o from an external script that will be called each time it is used: the script sets the user identity to $1 and the script sets the exit code to reflect successful authentication. Valid values for exit codes are between 0 and 127. These values are used in Cloudera Manager to map authenticated users to user roles in Cloudera Manager.

Configure Cloudera Manager1) Log in to the Cloudera Manager Management console.

2) Select Management > Settings. 3) Select external authentication for the category filter to display settings. 4) set the external Authentication Type property to SAML ("SAML" ignores the Authentication back-end order attribute). 5) set the path to SAML IDP metadata file property to point to the IDP metadata file. 6) set the "path to SAML Keystore file" property to point to the previously prepared Java Keystore. 7) in the SAML Keystore password property, set the Keystore password. 8) in the aliases for SAML signing / encryption Private key property, set the alias used to identify the private key used by Cloudera Manager. 9) in the SAML signing / encrypting Private key password property, set the private key password. 10) set the SAML entity ID attribute in the following cases:

Multiple Cloudera Manager instances are used for the same IDP (each instance requires a different entity ID).

Entity ID is assigned by organizational policy.

11) in the "Source of user ID in SAML response" property, set whether to get user ID from the property or from NameID. If you will use an attribute, set the property name in the SAML attribute identifier of the user's ID property. The default value is the regular OID for the user ID, so it may not need to be changed. 12) in the SAML role assignment Mechanism property, set whether the role assignment is done from the property or from an external script.

If you will use attributes:

O if necessary, in the SAML attribute identifier of the user role attribute, set the attribute name. The default value is the regular OID for OrganizationalUnits, so you may not need to change it.

If you will use an external script, set the path to the script in the SAML role assignment script's path property. Make sure the script is executable (executable binaries are good-it doesn't have to be a Shell script).

13) Save the changes. Cloudera Manager will run a set of authentications to ensure that the metadata XML and Keystore can be found and that the password is correct. If you see an authentication error, correct the problem before continuing. 14) restart Cloudera Manager Server. After you configure authentication for Cloudera Manager, configure authorization for authenticated users. This is done by mapping authenticated users to Cloudera Manager user roles. For more information, see Cloudera Manager user roles.

After configuring IDP to restart Cloudera Manager Server, it attempts to redirect to the IDP login page without displaying the normal CM page. This may or may not be successful, depending on how IDP is configured. In either case, IDP needs to be configured to recognize CM before authentication can be truly successful. The details of this process are specific to each IDP implementation-refer to the IDP documentation for more information. If you are using Shibboleth IdP, information about configuring IdP to communicate with your service provider is provided here.

1) download the SAML metadata XML file for Cloudera Manager. Http:// hostname: 7180/saml/metadata2) checks the metadata file and ensures that all URL contained in the file can be parsed by the user's Web browser. IDP will redirect Web browsers to these URL at various points in the process. If the browser cannot resolve them, authentication will fail. If the URL is incorrect, you can manually repair the XML file or set the Entity Base URL in the CM configuration to the correct value, and then download the file again. 3) use any mechanism provided by IDP to provide this metadata file to IDP. 4) ensure that IDP has access to any public certificates necessary to authenticate the private key previously provided to Cloudera Manager. 5) make sure that IDP is configured to use the Cloudera Manager configuration to provide the user ID and role (if relevant) for the desired attribute name. 6) ensure that the changes to the IDP configuration are in effect (a reboot may be required).

Verify authentication and authorization 1) return to the Cloudera Manager management console and refresh the login page.

2) try to log in with the credentials of the authorized user. Authentication should be completed, and you should see the Home > Status tab. 3) if authentication fails, you will see an error message provided by IDP. "Cloudera Manager is not involved in this part of the process, and you must ensure that IDP works properly to complete authentication." "if the authentication is successful, but the user is not authorized to use Cloudera Manager, Cloudera Manager takes them to the error page, which describes the situation." If the user who should be authorized sees this error, you will need to authenticate their role configuration and ensure that it is correctly communicated to Cloudera Manager through properties or external scripts. The Cloudera Manager log provides detailed information about the failure to establish a user role. If any errors occur during role mapping, Cloudera Manager assumes that the user is unauthorized.

The above is all the contents of the article "how to configure authentication with SAML in Cloudera Manager". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.