Reputation: 491
Understanding how Hadoop client API with Kerberos
The UserGroupInformation class has a loginUserFromKeytab method that takes the user principal and the name of a keytab file. You do not specify the service principal. I thought that Kerberos would need the service principal. Can someone fill in the blanks that I am missing?
Upvotes: 0
Views: 352
Answers (2)
Reputation: 9067
AFAIK the "login" method is only responsible for initial user authentication on client side
- connect to KDC
- assert it is "principal", get challenged, respond using encrypted password (that's what is inside the keytab file)
- retrieve a ticket-granting ticket (TGT) displayed as
krbtgt/REALM@REALM
Then each and every Hadoop API manage their own authorization but on server side
Client:
- present the TGT at connect time, as proof of authentication
Service:
- check that this principal is not black-listed
- connect to KDC to check that TGT is indeed valid, then to produce the appropriate service ticket (so that further client-service traffic can skip the round-trip to KDC)
- check which "groups" the principal belongs to based on a pluggable authorization library (see for example the HDFS documentation under "Permissions > Group Mapping")
- all permissions checks are based on principal name and group names
Upvotes: 2
Reputation: 8937
In Kerberised cluster there are two types of accounts - simple users and users-services. From technical point of view they are the same and consist of three parts - primary/instance@REALM. But simple users are authenticated by providing principle name and password. It can be configured to use either cluster KDC or can access Active Directory KDC within trusted relations. For users-services kaytabs approach is used. That means that administrator creates keytab file which contains a list of principles valid for it. You can get the principles within keytab by:
klist -kt path_to_keytab
Using loginUserFromKeytab you say want to get Kerberos ticket to your current user to some service using keytab file. As a parameters, you should provide the path to keytab and the name of the service-principle within the keytab. If you succeeded, your current user or executing context owner will get the ticket with all necessary permissions to access the service
Upvotes: 0
Related Questions
- Http request in Java to Hadoop Kerberized Cluster
- What is kerberos?
- Kerberos Authentication on Hadoop Cluster
- Ways to enable communication between kerberized and non kerberized environments
- How to access secure kerberized hadoop using just java API
- What is the Kerberos method?
- Hadoop enable simple authentication
- Hadoop Web Authentication using Kerberos
- Kerberos client usage in windows
- Regarding Hadoop Security via Kerberos