0

I have configured Kerberos with Hadoop. I'm facing difficulty in mapping the Kerberos architecture and whole flow of authentication to my application.

Following is my use case:

My use case

We have a web application that calls backend services, which communicates with Hadoop ecosystem internally.

Now I don't have clear idea how the Kerberos aunthentication will take place, where the tokens will be stored, i.e. whether client-side or server side. How the credential cache would be managed, when two or more users access the application and access Hadoop, because when we do kinit the old credential cache is replaced by the new one. What would be the complete flow?

Waiting for response. Thanks

U880D
  • 8,601
  • 6
  • 24
  • 40
user3313379
  • 459
  • 10
  • 21
  • The whole point of Kerberos is that **your app** authenticates against the KDC to get a Kerberos authentication ticket (TGT); then your app presents its TGT to Hadoop services, which check it against the KDC, then grant you a Kerberos authorization ticket ("service ticket"); then your app can make repeated calls by presenting the same service ticket, while it is valid (typically 10h, renewable for 7d without needing to re-authenticate). – Samson Scharfrichter Jul 13 '16 at 09:47
  • If you manage the authentication from your code (e.g. using Java and JAAS config) then you can keep your tickets private and avoid messing with the "public" cache. Even if you use external tools like `kinit` you can specify a semi-private cache with env variable `KRB5CCNAME`. – Samson Scharfrichter Jul 13 '16 at 09:49
  • A post that may be of interest to you: http://stackoverflow.com/questions/33211134/hbase-kerberos-connection-renewal-strategy/33243360 – Samson Scharfrichter Jul 13 '16 at 09:52
  • 1
    A must-read: the GitBook by the guy who actually maintains the Kerberos code base for Hadoop, ZooKeeper, Spark *(the reference to H.P. Lovecraft is appropriate IMHO)* https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/index.html – Samson Scharfrichter Jul 13 '16 at 09:53
  • Recommended reads: http://fr.slideshare.net/BolkedeBruin/nl-hug-2016-feb-hadoop-security-from-the-trenches and (again) http://fr.slideshare.net/steve_l/hadoop-and-kerberos-the-madness-beyond-the-gate – Samson Scharfrichter Jul 13 '16 at 09:57
  • Thanks Samson. I will look into this book and come back to you if i need some guidance. – user3313379 Jul 13 '16 at 19:42
  • If a user logs into any kerberized Application, using Krb5LoginModule, there is a function loginFromKeyTab. Client should have the key tab file to login to application. But I think this is very insecure way of login. Anyone who could access your key tab file can login to application. Is there any alternative way to login to system that is much secure and reliable? I don't understand How to do this. I'm stuck – user3313379 Jul 18 '16 at 07:00
  • The whole point of Kerberos is to build security against **network-based attacks** _(traffic interception, IP spoofing, etc)_. If you cannot store your credentials on a server, because you cannot trust your server, then Kerberos is not a solution. Get another job. – Samson Scharfrichter Jul 18 '16 at 08:22

0 Answers0