user3375401
user3375401

Reputation: 491

Understanding how Hadoop client API with Kerberos

The UserGroupInformation class has a loginUserFromKeytab method that takes the user principal and the name of a keytab file. You do not specify the service principal. I thought that Kerberos would need the service principal. Can someone fill in the blanks that I am missing?

Upvotes: 0

Views: 352

Answers (2)

Samson Scharfrichter
Samson Scharfrichter

Reputation: 9067

AFAIK the "login" method is only responsible for initial user authentication on client side

  • connect to KDC
  • assert it is "principal", get challenged, respond using encrypted password (that's what is inside the keytab file)
  • retrieve a ticket-granting ticket (TGT) displayed as krbtgt/REALM@REALM


Then each and every Hadoop API manage their own authorization but on server side

Client:

  • present the TGT at connect time, as proof of authentication

Service:

  • check that this principal is not black-listed
  • connect to KDC to check that TGT is indeed valid, then to produce the appropriate service ticket (so that further client-service traffic can skip the round-trip to KDC)
  • check which "groups" the principal belongs to based on a pluggable authorization library (see for example the HDFS documentation under "Permissions > Group Mapping")
  • all permissions checks are based on principal name and group names

Upvotes: 2

Alex
Alex

Reputation: 8937

In Kerberised cluster there are two types of accounts - simple users and users-services. From technical point of view they are the same and consist of three parts - primary/instance@REALM. But simple users are authenticated by providing principle name and password. It can be configured to use either cluster KDC or can access Active Directory KDC within trusted relations. For users-services kaytabs approach is used. That means that administrator creates keytab file which contains a list of principles valid for it. You can get the principles within keytab by:

klist -kt path_to_keytab

Using loginUserFromKeytab you say want to get Kerberos ticket to your current user to some service using keytab file. As a parameters, you should provide the path to keytab and the name of the service-principle within the keytab. If you succeeded, your current user or executing context owner will get the ticket with all necessary permissions to access the service

Upvotes: 0

Related Questions