Enterprise Security Package (ESP) provides Active Directory integration for Azure HDInsight. This integration allows domain users to use their domain credentials to authenticate with HDInsight clusters and run big data jobs.
HDInsight ID Broker (HIB) provides single sign on with Azure Active Directory with modern OAuth authentication to Apache Ambari while having multifactor authentication enforcement. HDInsight ID Broker provides the authentication infrastructure that enables protocol transition from OAuth (modern) to Kerberos (legacy) without needing to sync password hashes to Azure AD DS. This infrastructure consists of components running on a Windows Server virtual machine (VM) with the HDInsight ID Broker node enabled, along with cluster gateway nodes.
Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan.
Use the following table to determine the best authentication option based on your organization's needs.
Use Case: Customer can choose the Authentication option from above table. In this example we will focus on how to enable multifactor Authentication for the HDInsight cloud users and to Access Ambari with MFA.
- Enable Multifactor Authentication
- Access Ambari with MFA
Prerequisite to Run this Lab:
- Setup Azure Active Directory.
azure-docs/apache-domain-joined-create-configure-enterprise-security-cluster.md at master · MicrosoftDocs/azure-docs · GitHub - Setup Active Directory Domain Services.
azure-docs/apache-domain-joined-create-configure-enterprise-security-cluster.md at master · MicrosoftDocs/azure-docs · GitHub - Create ESP HDInsight Cluster with HIB Enable based on the Authentication option chosen.
Azure HDInsight ID Broker (HIB) | Microsoft Docs
Please follow the Below Steps to Enable MFA and access Ambari.
Step 1: From Azure Active Directory got to -> Security-> Multi Factor Authentication -> Activate the Premium Feature.
Step 2: Please click on per user MFA
Step 3: Multi Factor Authentication setting page will open
Step 4: From Service Settings Page select the verification options.
Step 5: From User Setting select the user want to enable the Multifactor Authentication.
Step 6: Alternatively Conditional MFA policy can be created as per the business requirement.
Step 7: Creating ESP Cluster (HIB) the user must be part of Group for users. Here hditest2 is part of clusterusers group
Step 8: Login to Ambari with the user id enable for Multifactor Authentication
Step 9: Initially it will ask to setup Authenticator
Step 10: Once setup is done please provide the authentication code displayed in Microsoft Authenticator.
Step 11: Ambari Login Successful with MFA Authentication
Published Nov 02, 2021
Version 1.0
somnathghosh
Microsoft
Microsoft
