Hopsworks enterprise edition supports Single Sign-On (SSO) using SPNEGO.
SSO can be configured from the cluster definition, by specifying the following attributes:
kerberos:
enabled: true
krb_conf_path: "/etc/krb5.conf"
krb_server_key_tab_path: "/etc/security/keytabs/service.keytab"
krb_server_key_tab_name: "service.keytab"
spnego_server_conf: '\nuseKeyTab=true\nprincipal=\"HTTP/hopsworks0.logicalclocks.com@LOGICALCLOCKS.COM\"\nstoreKey=true\nisInitiator=false'
ldap:
enabled: false
group_mapping: "Directory Administrators->HOPS_ADMIN;IT People-> HOPS_USER"
user_id: "sAMAccountName"
user_givenName: "givenName"
user_surname: "sn"
user_email: "mail"
user_search_filter: "sAMAccountName=%s"
group_search_filter: "member=%d"
krb_search_filter: "userPrincipalName=%s"
attr_binary: "java.naming.ldap.attributes.binary"
group_target: "cn"
dyn_group_target: "memberOf"
user_dn: ""
group_dn: ""
account_status: 2
jndilookupname: "dc=example,dc=com"
provider_url: "ldap://193.10.66.104:1389"
attr_binary_val: "objectGUID"
security_auth: "none"
security_principal: ""
security_credentials: ""
referral: "follow"
additional_props: ""
Both the Kerberos and LDAP attributes need to be specified, however differently from the LDAP integration, only the kerberos/enabled attribute needs to be set to true.
The definition for the LDAP attributes is available at LDAP integration.
An already deployed instance can be configured with Single Sign-On without the need of running Karamel/Chef. Administrators should create a JNDI resource for the LDAP connector as described in the LDAP integration documentation.
Moreover, administrators should manually copy krb5.conf and the service.keytab in /srv/hops/domains/domain1/config. They should also edit the file /srv/hops/domains/domain/login.conf with the value they would set for the attribute spnego_server_conf.
As for the LDAP instructions, administrators should set kerberos_auth to True in the Hopsworks settings panel. This will make the LDAP configuration option appear in the Admin panel. From the LDAP configuration panel, they will be able to configure Hopsworks’ LDAP connection.
Using Expat there is the possibility of migrating existing local users and map them to LDAP users.
As for the LDAP integration, even with Single Sign-On enabled, users will still be able to register with their email addresses. It’s up to the administrators to enforce a Single Sign-On-only account policy.