--- title: Using Kerberos Authentication --- <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> Kerberos is an encrpyted network authentication protocol for client/server applications. Kerberos is a complex subsystem. Detailing how to install and configure Kerberos itself is beyond the scope of this document. You should familiarize yourself with Kerberos concepts before configuring Kerberos for your HAWQ cluster. For more information about Kerberos, see [http://web.mit.edu/kerberos/](http://web.mit.edu/kerberos/). HAWQ supports Kerberos at both the HDFS and/or user authentication levels. You will perform distinct configuration procedures for each. Kerberos provides a secure, encrypted authentication service. It does not encrypt data exchanged between the client and database and provides no authorization services. To encrypt data exchanged over the network, you must use an SSL connection. To manage authorization for access to HAWQ databases and objects such as schemas and tables, you assign privileges to HAWQ users and roles. For information about managing authorization privileges, see [Overview of HAWQ Authorization](hawq-access-checks.html). ## <a id="kerberos_prereq"></a>Prerequisites Before configuring Kerberos authentication for HAWQ, ensure that: - System time on the Kerberos server and HAWQ hosts is synchronized. \(For example, install the `ntp` package on both servers.\) - Network connectivity exists between the Kerberos server and all nodes in the HAWQ cluster. - Java 1.7.0\_17 or later is installed on all nodes in your cluster. Java 1.7.0_17 is required to use Kerberos-authenticated JDBC on Red Hat Enterprise Linux 6.x or 7.x. - You can identify the Key Distribution Center \(KDC\) server you use for Kerberos authentication and the Kerberos realm in which your cluster resides. - If you plan to use an MIT Kerberos KDC Server but have not yet configured it, see [Example: Setting up an MIT Kerberos KDC Server](kerberos-mitkdc.html) for example instructions. - If you are using an existing Active Directory KDC Server, also ensure that you have: - Installed all Active Directory service roles on your AD KDC server. - Enabled the LDAP service. Refer to the [Using an Existing Active Directory](https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.0/bk_security/content/_use_an_existing_active_directory_domain.html) Hortonworks documentation for additional preparation instructions. **Note**: HAWQ supports Active Directory KDC servers only for Ambari-managed clusters. HAWQ does not support command-line-managed clusters employing an Active Directory KDC server. ## <a id="kerberos_procedures"></a>Procedure You can configure Kerberos for HAWQ for secure HDFS and for user authentication. You will perform different procedures for each: - [Configuring HAWQ/PXF for Secure HDFS](kerberos-securehdfs.html) - [Configuring Kerberos User Authentication for HAWQ](kerberos-userauth.html)