ArchitectureFreeIPA
This page is intended for developers of AmbariKave. For users, return to Home.
This page introduces concepts seen on FreeIPA and how they work in a KAVE setting.
Proper centralized identity managment is the glue which makes a KAVE work. What we envision is that an analysist logs in on a single edge workstation. From such a workstation he is able to securily access the rest of the services through single-sign-on if possible but at least through a single unified identity. The services which first come to mind which should be accessible are:
- Hadoop
- Gitlabs
- Twiki
- Jenkins
However true power would lie in seamless access for all services.
FreeIPA is a combination of various other services all tied in together. This creates a powerfull suite which would otherwise be very difficult to achieve. The services which are tied together in FreeIPA are:
- Kerberos
- LDAP
- DNS
We aim high with full integration but must constrain ourself to keep the scope realistic and the implementation robust.
- http://www.freeipa.org/page/Documentation
- http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/service-interactions.html#ipa-servers-replicas
- http://blog.delouw.ch/2011/12/17/identity-management-with-rhel-6-2-part-i/
FreeIPA does have some interesting points which make installation a bit less straight forward as one might hope. The deal is that you would kind of hope that its already installed and configured before you start with installing the KAVE. This is for the faint of heart so we'll boldy go on and strife for full integration meaning also integration in Ambari.
The main problem with installation order are the machine names and the DNS server which governs these.
Do you want central user management for your system (linux) or hadoop accounts?
[NO] You don't have to do anything tricky you can install a FreeIPA server with the rest of your blueprint.
[YES] Ok, cool! This means you need to install ipa-client on all the machines. This should be done through Ambari but can only happen if reverse DNS is working properly. This brings us to question 2:
Do you have a own DNS solution in place? (No! scattered hosts files don't count)
[NO] Right, this probably the is most hardcore setup and requires an Ambari installation in which its important to have the FreeIPA server installed (through Ambari) prior to the adding of all the hosts.
[YES] Ok, make sure your DNS is configured properly. We can't really help you with that.
Works well. You do have to take into account that the base ldap name should be a bit longer than usuall in order to avoid the compat namespace in the directory:
cn=users,cn=accounts,dc=kave,dc=org
For users, installers, and other persons interested in the KAVE, or developing solutions on top of a KAVE.
-
Developer Home
-
Onboarding
-
Architecture
-
Identities
-
Repository
-
FreeIPA
-
Installation
-
AWS Dev, getting started with aws within our dev team.
-
AWS CLI, more details and discussion over using aws for this development
-
DockerDev, Installation and usage of Docker
-
Onboarding
For someone who modifies the AmbariKave code itself and contributes to this project. Persons working on top of existing KAVEs or developing solutions on top of KAVE don't need to read any of this second part.