using Kerberos with certificate for authenticating Hadoop components instead of login/password keytabs

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

using Kerberos with certificate for authenticating Hadoop components instead of login/password keytabs

Dominique De Vito
Hi,

Well, Hadoop with authentication works with login/password-pattern Kerberos .

However, Kerberos could work with certicate-based authentication too.

Is Hadoop supporting Kerberos authentication with certificate?
To be more precise (or straight to the point, if you want): is Hadoop working when using certificate-based Kerberos authentication ?

Is there any Hadoop cluster out there running with certificate-based Kerberos authentication?

Thanks.

Regards,
Dominique

Reply | Threaded
Open this post in threaded view
|

Re: using Kerberos with certificate for authenticating Hadoop components instead of login/password keytabs

Benoy Antony
Hi Dominique, 

It should work. This is because the authentication mechanism (password or certificate) is between the client and KDC (kerberos server). Hadoop never knows about the password or certificate.  The Hadoop servers receive a service ticket from the client. Client obtains  service ticket from KDC. Thus the authentication mechanism ((password or certificate) is between the client and KDC.

Though I have not used a certificate for authentication, I had used a 2FA based kerberos authentication. Instead of password , it was Pin and a token. 
The process was like this 

>kinit username

Enter pin and token

> hadoop fs -ls





On Mon, Mar 26, 2018 at 6:36 AM, Dominique De Vito <[hidden email]> wrote:
Hi,

Well, Hadoop with authentication works with login/password-pattern Kerberos .

However, Kerberos could work with certicate-based authentication too.

Is Hadoop supporting Kerberos authentication with certificate?
To be more precise (or straight to the point, if you want): is Hadoop working when using certificate-based Kerberos authentication ?

Is there any Hadoop cluster out there running with certificate-based Kerberos authentication?

Thanks.

Regards,
Dominique


Reply | Threaded
Open this post in threaded view
|

Re: using Kerberos with certificate for authenticating Hadoop components instead of login/password keytabs

Dominique De Vito
Hi Antony,

Thanks for you answer.

> Though I have not used a certificate for authentication, I had used a 2FA based kerberos authentication. Instead of password , it was Pin and a token. 

Well, human-client authentication is one point, and thank you for confirming it runs with other authentication forms than login/password scheme.

The other point (AFAIU) is Hadoop-component-client authentication <= the second kind of clients.

To be more precise, I have __no__ idea how an HBase region server component is using the "keytab" file (on its node) to authenticate itself towards the KDC.

And if it's some __Java__ library that is reading and using the "keytab" file, I don't know if this Java library could use certificate too for Kerberos authentication.

If you have any thought about this subject (Hadoop-component-client authentication with certificated-based Kerberos authentication, I will happy to read them.

Thanks.

Regards,
Dominique
 





2018-04-06 2:56 GMT+02:00 Benoy Antony <[hidden email]>:
Hi Dominique, 

It should work. This is because the authentication mechanism (password or certificate) is between the client and KDC (kerberos server). Hadoop never knows about the password or certificate.  The Hadoop servers receive a service ticket from the client. Client obtains  service ticket from KDC. Thus the authentication mechanism ((password or certificate) is between the client and KDC.

Though I have not used a certificate for authentication, I had used a 2FA based kerberos authentication. Instead of password , it was Pin and a token. 
The process was like this 

>kinit username

Enter pin and token

> hadoop fs -ls





On Mon, Mar 26, 2018 at 6:36 AM, Dominique De Vito <[hidden email]> wrote:
Hi,

Well, Hadoop with authentication works with login/password-pattern Kerberos .

However, Kerberos could work with certicate-based authentication too.

Is Hadoop supporting Kerberos authentication with certificate?
To be more precise (or straight to the point, if you want): is Hadoop working when using certificate-based Kerberos authentication ?

Is there any Hadoop cluster out there running with certificate-based Kerberos authentication?

Thanks.

Regards,
Dominique



Reply | Threaded
Open this post in threaded view
|

Re: using Kerberos with certificate for authenticating Hadoop components instead of login/password keytabs

Benoy Antony
Sorry Dominique for the late reply.

For components like hadoop servers or hbase servers , currently it requires a keytab file to authenticate with KDC and obtain TGT. So AFAIK , the authentication between Hadoop/hbase server and KDC cannot use certificate.

cheers. 
Benoy


On Fri, Apr 6, 2018 at 6:01 AM, Dominique De Vito <[hidden email]> wrote:
Hi Antony,

Thanks for you answer.

> Though I have not used a certificate for authentication, I had used a 2FA based kerberos authentication. Instead of password , it was Pin and a token. 

Well, human-client authentication is one point, and thank you for confirming it runs with other authentication forms than login/password scheme.

The other point (AFAIU) is Hadoop-component-client authentication <= the second kind of clients.

To be more precise, I have __no__ idea how an HBase region server component is using the "keytab" file (on its node) to authenticate itself towards the KDC.

And if it's some __Java__ library that is reading and using the "keytab" file, I don't know if this Java library could use certificate too for Kerberos authentication.

If you have any thought about this subject (Hadoop-component-client authentication with certificated-based Kerberos authentication, I will happy to read them.

Thanks.

Regards,
Dominique
 





2018-04-06 2:56 GMT+02:00 Benoy Antony <[hidden email]>:
Hi Dominique, 

It should work. This is because the authentication mechanism (password or certificate) is between the client and KDC (kerberos server). Hadoop never knows about the password or certificate.  The Hadoop servers receive a service ticket from the client. Client obtains  service ticket from KDC. Thus the authentication mechanism ((password or certificate) is between the client and KDC.

Though I have not used a certificate for authentication, I had used a 2FA based kerberos authentication. Instead of password , it was Pin and a token. 
The process was like this 

>kinit username

Enter pin and token

> hadoop fs -ls





On Mon, Mar 26, 2018 at 6:36 AM, Dominique De Vito <[hidden email]> wrote:
Hi,

Well, Hadoop with authentication works with login/password-pattern Kerberos .

However, Kerberos could work with certicate-based authentication too.

Is Hadoop supporting Kerberos authentication with certificate?
To be more precise (or straight to the point, if you want): is Hadoop working when using certificate-based Kerberos authentication ?

Is there any Hadoop cluster out there running with certificate-based Kerberos authentication?

Thanks.

Regards,
Dominique




Reply | Threaded
Open this post in threaded view
|

Re: using Kerberos with certificate for authenticating Hadoop components instead of login/password keytabs

Rajiv Chittajallu-2
In reply to this post by Dominique De Vito
Hi Dominique,

I think you are referring to PKINIT. This is applicable for getting
initial TGT. As for region servers (and other similar components in
hadoop), the principal is used in two contexts, one as a service and
other as a client.

* A service to HBase Client
To replace service principal with a x509 cert means to replace
Kerberos as an authentication mechanism and use mutual TLS (zero
cypher for no encryption)

* A Client to HDFS

It could be possible to do that with PKINIT. What is the value in doing this.

Generally it is more complicated to run a X509 CA infra than a KDC and
in general there is always a KDC in the network.

On Fri, Apr 6, 2018 at 6:01 AM, Dominique De Vito <[hidden email]> wrote:

> Hi Antony,
>
> Thanks for you answer.
>
>> Though I have not used a certificate for authentication, I had used a 2FA
>> based kerberos authentication. Instead of password , it was Pin and a token.
>
> Well, human-client authentication is one point, and thank you for confirming
> it runs with other authentication forms than login/password scheme.
>
> The other point (AFAIU) is Hadoop-component-client authentication <= the
> second kind of clients.
>
> To be more precise, I have __no__ idea how an HBase region server component
> is using the "keytab" file (on its node) to authenticate itself towards the
> KDC.
>
> And if it's some __Java__ library that is reading and using the "keytab"
> file, I don't know if this Java library could use certificate too for
> Kerberos authentication.
>
> If you have any thought about this subject (Hadoop-component-client
> authentication with certificated-based Kerberos authentication, I will happy
> to read them.
>
> Thanks.
>
> Regards,
> Dominique
>
>
>
>
>
>
> 2018-04-06 2:56 GMT+02:00 Benoy Antony <[hidden email]>:
>>
>> Hi Dominique,
>>
>> It should work. This is because the authentication mechanism (password or
>> certificate) is between the client and KDC (kerberos server). Hadoop never
>> knows about the password or certificate.  The Hadoop servers receive a
>> service ticket from the client. Client obtains  service ticket from KDC.
>> Thus the authentication mechanism ((password or certificate) is between the
>> client and KDC.
>>
>> Though I have not used a certificate for authentication, I had used a 2FA
>> based kerberos authentication. Instead of password , it was Pin and a token.
>> The process was like this
>>
>> >kinit username
>>
>> Enter pin and token
>>
>> > hadoop fs -ls
>>
>>
>>
>>
>>
>> On Mon, Mar 26, 2018 at 6:36 AM, Dominique De Vito <[hidden email]>
>> wrote:
>>>
>>> Hi,
>>>
>>> Well, Hadoop with authentication works with login/password-pattern
>>> Kerberos .
>>>
>>> However, Kerberos could work with certicate-based authentication too.
>>>
>>> Is Hadoop supporting Kerberos authentication with certificate?
>>> To be more precise (or straight to the point, if you want): is Hadoop
>>> working when using certificate-based Kerberos authentication ?
>>>
>>> Is there any Hadoop cluster out there running with certificate-based
>>> Kerberos authentication?
>>>
>>> Thanks.
>>>
>>> Regards,
>>> Dominique
>>>
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]