Re: using Kerberos with certificate for authenticating Hadoop components instead of login/password keytabs

[Benoy Antony <ba...@gmail.com>]

Hi Dominique,

It should work. This is because the authentication mechanism (password or
certificate) is between the client and KDC (kerberos server). Hadoop never
knows about the password or certificate.  The Hadoop servers receive a
service ticket from the client. Client obtains  service ticket from KDC.
Thus the authentication mechanism ((password or certificate) is between the
client and KDC.

Though I have not used a certificate for authentication, I had used a 2FA
based kerberos authentication. Instead of password , it was Pin and a
token.
The process was like this

>kinit username

Enter pin and token

> hadoop fs -ls





On Mon, Mar 26, 2018 at 6:36 AM, Dominique De Vito <dd...@gmail.com>
wrote:

> Hi,
>
> Well, Hadoop with authentication works with login/password-pattern
> Kerberos .
>
> However, Kerberos could work with certicate-based authentication too.
>
> Is Hadoop supporting Kerberos authentication with certificate?
> To be more precise (or straight to the point, if you want): is Hadoop
> working when using certificate-based Kerberos authentication ?
>
> Is there any Hadoop cluster out there running with certificate-based
> Kerberos authentication?
>
> Thanks.
>
> Regards,
> Dominique
>
>

Re: using Kerberos with certificate for authenticating Hadoop components instead of login/password keytabs

[Rajiv Chittajallu <ra...@oath.com.INVALID>]

Hi Dominique,

I think you are referring to PKINIT. This is applicable for getting
initial TGT. As for region servers (and other similar components in
hadoop), the principal is used in two contexts, one as a service and
other as a client.

* A service to HBase Client
To replace service principal with a x509 cert means to replace
Kerberos as an authentication mechanism and use mutual TLS (zero
cypher for no encryption)

* A Client to HDFS

It could be possible to do that with PKINIT. What is the value in doing this.

Generally it is more complicated to run a X509 CA infra than a KDC and
in general there is always a KDC in the network.

On Fri, Apr 6, 2018 at 6:01 AM, Dominique De Vito <dd...@gmail.com> wrote:
> Hi Antony,
>
> Thanks for you answer.
>
>> Though I have not used a certificate for authentication, I had used a 2FA
>> based kerberos authentication. Instead of password , it was Pin and a token.
>
> Well, human-client authentication is one point, and thank you for confirming
> it runs with other authentication forms than login/password scheme.
>
> The other point (AFAIU) is Hadoop-component-client authentication <= the
> second kind of clients.
>
> To be more precise, I have __no__ idea how an HBase region server component
> is using the "keytab" file (on its node) to authenticate itself towards the
> KDC.
>
> And if it's some __Java__ library that is reading and using the "keytab"
> file, I don't know if this Java library could use certificate too for
> Kerberos authentication.
>
> If you have any thought about this subject (Hadoop-component-client
> authentication with certificated-based Kerberos authentication, I will happy
> to read them.
>
> Thanks.
>
> Regards,
> Dominique
>
>
>
>
>
>
> 2018-04-06 2:56 GMT+02:00 Benoy Antony <ba...@gmail.com>:
>>
>> Hi Dominique,
>>
>> It should work. This is because the authentication mechanism (password or
>> certificate) is between the client and KDC (kerberos server). Hadoop never
>> knows about the password or certificate.  The Hadoop servers receive a
>> service ticket from the client. Client obtains  service ticket from KDC.
>> Thus the authentication mechanism ((password or certificate) is between the
>> client and KDC.
>>
>> Though I have not used a certificate for authentication, I had used a 2FA
>> based kerberos authentication. Instead of password , it was Pin and a token.
>> The process was like this
>>
>> >kinit username
>>
>> Enter pin and token
>>
>> > hadoop fs -ls
>>
>>
>>
>>
>>
>> On Mon, Mar 26, 2018 at 6:36 AM, Dominique De Vito <dd...@gmail.com>
>> wrote:
>>>
>>> Hi,
>>>
>>> Well, Hadoop with authentication works with login/password-pattern
>>> Kerberos .
>>>
>>> However, Kerberos could work with certicate-based authentication too.
>>>
>>> Is Hadoop supporting Kerberos authentication with certificate?
>>> To be more precise (or straight to the point, if you want): is Hadoop
>>> working when using certificate-based Kerberos authentication ?
>>>
>>> Is there any Hadoop cluster out there running with certificate-based
>>> Kerberos authentication?
>>>
>>> Thanks.
>>>
>>> Regards,
>>> Dominique
>>>
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@hadoop.apache.org
For additional commands, e-mail: user-help@hadoop.apache.org

Re: using Kerberos with certificate for authenticating Hadoop components instead of login/password keytabs

[Benoy Antony <ba...@gmail.com>]

Sorry Dominique for the late reply.

For components like hadoop servers or hbase servers , currently it requires
a keytab file to authenticate with KDC and obtain TGT. So AFAIK , the
authentication between Hadoop/hbase server and KDC cannot use certificate.

cheers.
Benoy


On Fri, Apr 6, 2018 at 6:01 AM, Dominique De Vito <dd...@gmail.com>
wrote:

> Hi Antony,
>
> Thanks for you answer.
>
> > Though I have not used a certificate for authentication, I had used a
> 2FA based kerberos authentication. Instead of password , it was Pin and a
> token.
>
> Well, human-client authentication is one point, and thank you for
> confirming it runs with other authentication forms than login/password
> scheme.
>
> The other point (AFAIU) is Hadoop-component-client authentication <= the
> second kind of clients.
>
> To be more precise, I have __no__ idea how an HBase region server
> component is using the "keytab" file (on its node) to authenticate itself
> towards the KDC.
>
> And if it's some __Java__ library that is reading and using the "keytab"
> file, I don't know if this Java library could use certificate too for
> Kerberos authentication.
>
> If you have any thought about this subject (Hadoop-component-client
> authentication with certificated-based Kerberos authentication, I will
> happy to read them.
>
> Thanks.
>
> Regards,
> Dominique
>
>
>
>
>
>
> 2018-04-06 2:56 GMT+02:00 Benoy Antony <ba...@gmail.com>:
>
>> Hi Dominique,
>>
>> It should work. This is because the authentication mechanism (password or
>> certificate) is between the client and KDC (kerberos server). Hadoop never
>> knows about the password or certificate.  The Hadoop servers receive a
>> service ticket from the client. Client obtains  service ticket from KDC.
>> Thus the authentication mechanism ((password or certificate) is between
>> the client and KDC.
>>
>> Though I have not used a certificate for authentication, I had used a 2FA
>> based kerberos authentication. Instead of password , it was Pin and a
>> token.
>> The process was like this
>>
>> >kinit username
>>
>> Enter pin and token
>>
>> > hadoop fs -ls
>>
>>
>>
>>
>>
>> On Mon, Mar 26, 2018 at 6:36 AM, Dominique De Vito <dd...@gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> Well, Hadoop with authentication works with login/password-pattern
>>> Kerberos .
>>>
>>> However, Kerberos could work with certicate-based authentication too.
>>>
>>> Is Hadoop supporting Kerberos authentication with certificate?
>>> To be more precise (or straight to the point, if you want): is Hadoop
>>> working when using certificate-based Kerberos authentication ?
>>>
>>> Is there any Hadoop cluster out there running with certificate-based
>>> Kerberos authentication?
>>>
>>> Thanks.
>>>
>>> Regards,
>>> Dominique
>>>
>>>
>>
>

Re: using Kerberos with certificate for authenticating Hadoop components instead of login/password keytabs

[Dominique De Vito <dd...@gmail.com>]

Hi Antony,

Thanks for you answer.

> Though I have not used a certificate for authentication, I had used a 2FA
based kerberos authentication. Instead of password , it was Pin and a
token.

Well, human-client authentication is one point, and thank you for
confirming it runs with other authentication forms than login/password
scheme.

The other point (AFAIU) is Hadoop-component-client authentication <= the
second kind of clients.

To be more precise, I have __no__ idea how an HBase region server component
is using the "keytab" file (on its node) to authenticate itself towards the
KDC.

And if it's some __Java__ library that is reading and using the "keytab"
file, I don't know if this Java library could use certificate too for
Kerberos authentication.

If you have any thought about this subject (Hadoop-component-client
authentication with certificated-based Kerberos authentication, I will
happy to read them.

Thanks.

Regards,
Dominique






2018-04-06 2:56 GMT+02:00 Benoy Antony <ba...@gmail.com>:

> Hi Dominique,
>
> It should work. This is because the authentication mechanism (password or
> certificate) is between the client and KDC (kerberos server). Hadoop never
> knows about the password or certificate.  The Hadoop servers receive a
> service ticket from the client. Client obtains  service ticket from KDC.
> Thus the authentication mechanism ((password or certificate) is between
> the client and KDC.
>
> Though I have not used a certificate for authentication, I had used a 2FA
> based kerberos authentication. Instead of password , it was Pin and a
> token.
> The process was like this
>
> >kinit username
>
> Enter pin and token
>
> > hadoop fs -ls
>
>
>
>
>
> On Mon, Mar 26, 2018 at 6:36 AM, Dominique De Vito <dd...@gmail.com>
> wrote:
>
>> Hi,
>>
>> Well, Hadoop with authentication works with login/password-pattern
>> Kerberos .
>>
>> However, Kerberos could work with certicate-based authentication too.
>>
>> Is Hadoop supporting Kerberos authentication with certificate?
>> To be more precise (or straight to the point, if you want): is Hadoop
>> working when using certificate-based Kerberos authentication ?
>>
>> Is there any Hadoop cluster out there running with certificate-based
>> Kerberos authentication?
>>
>> Thanks.
>>
>> Regards,
>> Dominique
>>
>>
>