For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Rusty_M_140798's avatar
Rusty_M_140798
Icon for Nimbostratus rankNimbostratus
Jul 28, 2015

Load Balance a Connection URL with Kerberos Auth

We are using hadoop with impala, the way you connect to impala is directly to one of the data node servers. This has issues as the data node goes down jobs start failing. What we would like to do is used a standard connection named "impala" and load balance across all of our data nodes.

 

We are running into an issue as the DNS name does not match so GSS is failing as the name is not in the KDC. I want to see if it is possible to rewrite the URL to a server name that is pulled from the pool list before a connection is made.

 

so a request comes in as the pool contains the server names server1, server2, server3. Can I switch impala with the name of the server or is there a better way to do this?

 

application delivery
deployment
devops
iRules
security

3 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 28, 2015

    I'm going to assume here that you're not using APM (Access Policy Manager). In lieu of APM, the Kerberos ticket has to come from the client directly, which means the client must know the servicePrincipalName (SPN) of the server to make the ticket request. Browsers will use the host name from the URL to derive a SPN (ex. https://www.example.com becomes http/ There's no mechanism for HTTP-based Kerberos to inform the client of the correct name to use, so you only have a few options:

     

    1. As I mentioned, the SPN is derived form the host name, so if you want to use "impala", then you have to attach this SPN to an account in the realm and export its keytab to all of the backend servers. That is, in order to use a single front-end name, all of the backend servers have to use the same keytab and SPN (ie. http/impala). It doesn't matter what the server's actual name is (in most cases), because the Kerberos configuration is generally bound to the SPN in the assigned keytab.

       

    2. APM would more gracefully solve this issue by providing Kerberos Constrained Delegation (and protocol transition) on the backside of the proxy. You could use whatever name you wanted in the front, and APM could use whatever SPN(s) needed on the backend to reach the servers.

       

  • Rusty_M_140798's avatar
    Rusty_M_140798
    Icon for Nimbostratus rankNimbostratus
    Jul 28, 2015

    Ok, that makes since I was trying to avoid APM just to see if LTM could cover it but i will try to create a policy with APM and see what I can do from there. Still very new to F5 so trying to figure out where to use what.

     

    Thanks for the quick reply!

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 28, 2015

    The easier option of the two is probably to create and use a single keytab across all of the servers.