Tuesday, November 2, 2021

Multifactor Authentication with ESP HDInsight Cluster

Enterprise Security Package (ESP) provides Active Directory integration for Azure HDInsight. This integration allows domain users to use their domain credentials to authenticate with HDInsight clusters and run big data jobs.

HDInsight ID Broker (HIB) provides single sign on with Azure Active Directory with modern OAuth authentication to Apache Ambari while having multifactor authentication enforcement. HDInsight ID Broker provides the authentication infrastructure that enables protocol transition from OAuth (modern) to Kerberos (legacy) without needing to sync password hashes to Azure AD DS. This infrastructure consists of components running on a Windows Server virtual machine (VM) with the HDInsight ID Broker node enabled, along with cluster gateway nodes.

somnathghosh_17-1635836247516.png

 

Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan.


Use the following table to determine the best authentication option based on your organization's needs.

somnathghosh_18-1635836247520.png

Use Case: Customer can choose the Authentication option from above table. In this example we will focus on how to enable multifactor Authentication for the HDInsight cloud users and to Access Ambari with MFA.

  • Enable Multifactor Authentication
  • Access Ambari with MFA

Prerequisite to Run this Lab:

  1. Setup Azure Active Directory.
    azure-docs/apache-domain-joined-create-configure-enterprise-security-cluster.md at master · MicrosoftDocs/azure-docs · GitHub
  2. Setup Active Directory Domain Services.
    azure-docs/apache-domain-joined-create-configure-enterprise-security-cluster.md at master · MicrosoftDocs/azure-docs · GitHub
  3. Create ESP HDInsight Cluster with HIB Enable based on the Authentication option chosen.
    Azure HDInsight ID Broker (HIB) | Microsoft Docs

Please follow the Below Steps to Enable MFA and access Ambari.

Step 1:  From Azure Active Directory got to -> Security-> Multi Factor Authentication -> Activate the Premium Feature.

somnathghosh_19-1635836247531.png

 

Step 2: Please click on per user MFA

somnathghosh_20-1635836247536.png

 

Step 3: Multi Factor Authentication setting page will open

somnathghosh_21-1635836247539.png


Step 4:
From Service Settings Page select the verification options.

somnathghosh_22-1635836247543.png


Step 5:
From User Setting select the user want to enable the Multifactor Authentication.

somnathghosh_23-1635836247546.png

 

 

somnathghosh_24-1635836247550.png


Step 6:
Alternatively  Conditional MFA policy can be created as per the business requirement.

somnathghosh_25-1635836247555.png


Step 7:
Creating ESP Cluster (HIB) the user must be part of Group for users. Here hditest2 is part of clusterusers group

 

somnathghosh_26-1635836247560.png


Step 8:
Login to Ambari with the user id enable for Multifactor Authentication

 

somnathghosh_27-1635836247574.png

 

Step 9: Initially it will ask to setup Authenticator

 

somnathghosh_28-1635836247578.png

 

Step 10: Once setup is done please provide the authentication code displayed in Microsoft Authenticator.

somnathghosh_29-1635836247590.png


Step 11:
Ambari Login Successful with MFA Authentication

 

somnathghosh_30-1635836247597.png

 

Posted at https://sl.advdat.com/3CEHhkC