Configuring SSO

Describes how the HPE Ezmeral Data Fabric supports single sign-on (SSO) and how to configure it.

HPE Ezmeral Data Fabric releases 7.3.0 and later support SSO when configured with the Keycloak identity and access management (IAM) solution. No other IAM solution is currently supported.

Configuring SSO is optional. If you do not configure SSO, you must use Data Fabric user names and passwords for access to the cluster. While SSO is supported for Data Fabric core, it is not supported for the Installer or ecosystem components.

Keycloak Is Preinstalled and Preconfigured

Keycloak is the identity and access management (IAM) solution that provides single-sign-on (SSO) support for the Data Fabric. Starting with release 7.5.0, Keycloak is preinstalled and preconfigured when you install the mapr-keycloak package and specify the -keycloak option in configure.sh as part of cluster creation.

During cluster installation, Keycloak can be installed on all the nodes in the cluster. However, the Keycloak server is started on only one node. When installed, Keycloak is preconfigured with users, groups, and roles that enable integration of Keycloak with the Data Fabric. The following table describes the preconfigured items:
Keycloak Preconfigured Items How Many? Names Notes
Users 1 admin Any additional users that are added must be created with uid and gid attributes, as described in Adding New Users to Keycloak.
Groups 1 fabric-manager Any additional groups that are added must be created with the gidNumber attribute, as described in Adding a Group to Keycloak.
Roles 3 fabric-manager

infrastructure-admin

developer

These are the only supported roles. The developer role is sometimes referred to as the "fabric user" role.
Clients 1 edf-client This is the dedicated client for the Data Fabric. In Keycloak, a client is an application or service that can request authentication for a user.
Keycloak installation also gives you access to the Keycloak admin portal.

SSO and Temporary Tickets

Enhancements in release 7.3.0 and later allow clients that aren’t aware of user passwords to access the cluster if they have a valid token from an SSO provider.

In Data Fabric installations that are not configured for SSO, users authenticate by providing a username and password and must obtain a user ticket to issue commands. The ticket enables RPC communication between various Data Fabric services. RPC communication cannot occur without a ticket.

Beginning with release 7.3.0, in installations where SSO is configured, a user provides a password to an SSO provider. The SSO provider authenticates the user and provides a JSON web token (JWT). The client presents the JWT to the CLDB using HTTPS. A CLDB plugin (new in release 7.3.0) functions as an HTTPS server and validates the JWT from the SSO provider. If the token is valid, the CLDB provides a short-lived ticket to the client.


SSO Diagram

Object Store and Temporary Tickets

Releases 7.3.0 and later also provide enhancements to enable MinIO Client (mc) communication with the HPE Ezmeral Data Fabric Object Store by using temporary tickets. In non-SSO installations, users and applications authenticate to the Object Store through S3 keys (AccessKey and SecretKey). Release 7.3.0 extended the MC framework to use maprcli with JWT to obtain a temporary AccessKey and SecretKey in the background. Optimizations in the CLDB allow the CLDB to cache the AccessKey and SecretKey for 15 minutes.