Posted On: Nov 21, 2017
You can now enable authentication with Kerberos and fine-grained EMRFS authorization for HAQM S3 access on your HAQM EMR clusters. You can use Kerberos to authenticate requests between services running on your cluster, user actions on your cluster, and external client requests from remote services. HAQM EMR will create a MIT KDC on the master node of your cluster, and utilize the open-source Kerberos authentication settings for certain application components on your cluster. Additionally, you can easily enable a cross-realm trust with a Microsoft Active Directory to seamlessly allow users in the directory to authenticate using Kerberos to access and run workloads on a cluster.
Additionally, you can now use EMRFS authorization to specify the AWS Identity and Access Management (IAM) role to use when certain user accesses HAQM S3. Applications like Apache Spark and Apache Hive use EMRFS, HAQM EMR’s connector for HAQM S3, for data access. By default, the policy attached to the EC2 role (instance profile) on your cluster determines the data that can be accessed in HAQM S3. With EMRFS authorization, you can now specify the IAM role to assume when a user or group uses EMRFS to access HAQM S3. Choosing the IAM role for each user or group enables fine-grained access control for HAQM S3 on multi-user HAQM EMR clusters. Furthermore, you can specify the IAM role to use for different HAQM S3 buckets, which makes it easier to enable cross-account HAQM S3 access.
To enable authentication with Kerberos and EMRFS authorization on your HAQM EMR cluster, specify these options in your security configuration and corresponding cluster configuration. You can create a security configuration on the security configuration page in HAQM EMR console, AWS Command Line Interface (CLI), or the AWS SDK with the HAQM EMR API. If you are creating a cross-realm domain join with a Microsoft Active Directory, please follow these additional steps. Authentication with Kerberos and EMRFS authorization is available on HAQM EMR release 5.10.0 and later. Please visit the HAQM EMR documentation for more information about authentication with Kerberos, EMRFS authorization, and security configurations.
Authentication with Kerberos and EMRFS authorization is available in US East (N. Virginia), EU (Ireland), and South America (São Paulo). These features will be available in all supported regions for HAQM EMR soon.