Programmatic Kerberos login with password to a secure cluster

[Geoff Thompson <ge...@bearpeak.com>]

Greetings,

We are developing a YARN application where the client executes on a machine that is external to a secure cluster. I have been able to successfully do a Kerberos login by manually running the kinit command on the external machine then starting the client. However, our goal is to not require the user to run kinit.

I have been able to programmatically login using a keytab file using method loginUserFromKeytab from class org.apache.hadoop.security.UserGroupInformation. This is very useful. However, we also want to see if we can not require the use of a keytab file and allow the user to enter a password into the UI for our YARN client.

Essentially I would like to write a “loginUserWithPassword” method. I can see that this would require creating a javax.security.auth.login.LoginContext with my own callback handler. 

Reading the UserGroupInformation source code I see that a LoginContext needs to be built with a “HadoopConfiguration” which is a private static class inside UserGroupInformation. This class is too difficult to duplicate in my own code since it has too many dependencies on other private details in class UserGroupInformation plus dependencies on other non-public classes in the org.apache.hadoop.security package.

Does any one know how I could do a programmatic Kerberos login with a password? Or perhaps access a HadoopConfiguration?

Thanks,

Geoff


 

Re: Programmatic Kerberos login with password to a secure cluster

[Zesheng Wu <wu...@gmail.com>]

Perhaps you can use LDAP(or any other possible way) to do the
authentication on the WebServer, and then let the WebServer as an
authenticated proxy user to  agent real users requests.


2014-06-17 4:11 GMT+08:00 Geoff Thompson <ge...@bearpeak.com>:

> Greetings,
>
> We are developing a YARN application where the client executes on a
> machine that is external to a secure cluster. I have been able to
> successfully do a Kerberos login by manually running the kinit command on
> the external machine then starting the client. However, our goal is to not
> require the user to run kinit.
>
> I have been able to programmatically login using a keytab file using
> method loginUserFromKeytab from class
> org.apache.hadoop.security.UserGroupInformation. This is very useful.
> However, we also want to see if we can not require the use of a keytab file
> and allow the user to enter a password into the UI for our YARN client.
>
> Essentially I would like to write a “loginUserWithPassword” method. I can
> see that this would require creating a
> javax.security.auth.login.LoginContext with my own callback handler.
>
> Reading the UserGroupInformation source code I see that a LoginContext
> needs to be built with a “HadoopConfiguration” which is a private static
> class inside UserGroupInformation. This class is too difficult to duplicate
> in my own code since it has too many dependencies on other private details
> in class UserGroupInformation plus dependencies on other non-public classes
> in the org.apache.hadoop.security package.
>
> Does any one know how I could do a programmatic Kerberos login with a
> password? Or perhaps access a HadoopConfiguration?
>
> Thanks,
>
> Geoff
>
>
>




-- 
Best Wishes!

Yours, Zesheng

Re: Programmatic Kerberos login with password to a secure cluster

[Zesheng Wu <wu...@gmail.com>]

Perhaps you can use LDAP(or any other possible way) to do the
authentication on the WebServer, and then let the WebServer as an
authenticated proxy user to  agent real users requests.


2014-06-17 4:11 GMT+08:00 Geoff Thompson <ge...@bearpeak.com>:

> Greetings,
>
> We are developing a YARN application where the client executes on a
> machine that is external to a secure cluster. I have been able to
> successfully do a Kerberos login by manually running the kinit command on
> the external machine then starting the client. However, our goal is to not
> require the user to run kinit.
>
> I have been able to programmatically login using a keytab file using
> method loginUserFromKeytab from class
> org.apache.hadoop.security.UserGroupInformation. This is very useful.
> However, we also want to see if we can not require the use of a keytab file
> and allow the user to enter a password into the UI for our YARN client.
>
> Essentially I would like to write a “loginUserWithPassword” method. I can
> see that this would require creating a
> javax.security.auth.login.LoginContext with my own callback handler.
>
> Reading the UserGroupInformation source code I see that a LoginContext
> needs to be built with a “HadoopConfiguration” which is a private static
> class inside UserGroupInformation. This class is too difficult to duplicate
> in my own code since it has too many dependencies on other private details
> in class UserGroupInformation plus dependencies on other non-public classes
> in the org.apache.hadoop.security package.
>
> Does any one know how I could do a programmatic Kerberos login with a
> password? Or perhaps access a HadoopConfiguration?
>
> Thanks,
>
> Geoff
>
>
>




-- 
Best Wishes!

Yours, Zesheng

Re: Programmatic Kerberos login with password to a secure cluster

[Zesheng Wu <wu...@gmail.com>]

Perhaps you can use LDAP(or any other possible way) to do the
authentication on the WebServer, and then let the WebServer as an
authenticated proxy user to  agent real users requests.


2014-06-17 4:11 GMT+08:00 Geoff Thompson <ge...@bearpeak.com>:

> Greetings,
>
> We are developing a YARN application where the client executes on a
> machine that is external to a secure cluster. I have been able to
> successfully do a Kerberos login by manually running the kinit command on
> the external machine then starting the client. However, our goal is to not
> require the user to run kinit.
>
> I have been able to programmatically login using a keytab file using
> method loginUserFromKeytab from class
> org.apache.hadoop.security.UserGroupInformation. This is very useful.
> However, we also want to see if we can not require the use of a keytab file
> and allow the user to enter a password into the UI for our YARN client.
>
> Essentially I would like to write a “loginUserWithPassword” method. I can
> see that this would require creating a
> javax.security.auth.login.LoginContext with my own callback handler.
>
> Reading the UserGroupInformation source code I see that a LoginContext
> needs to be built with a “HadoopConfiguration” which is a private static
> class inside UserGroupInformation. This class is too difficult to duplicate
> in my own code since it has too many dependencies on other private details
> in class UserGroupInformation plus dependencies on other non-public classes
> in the org.apache.hadoop.security package.
>
> Does any one know how I could do a programmatic Kerberos login with a
> password? Or perhaps access a HadoopConfiguration?
>
> Thanks,
>
> Geoff
>
>
>




-- 
Best Wishes!

Yours, Zesheng

Re: Programmatic Kerberos login with password to a secure cluster

[Zesheng Wu <wu...@gmail.com>]

Perhaps you can use LDAP(or any other possible way) to do the
authentication on the WebServer, and then let the WebServer as an
authenticated proxy user to  agent real users requests.


2014-06-17 4:11 GMT+08:00 Geoff Thompson <ge...@bearpeak.com>:

> Greetings,
>
> We are developing a YARN application where the client executes on a
> machine that is external to a secure cluster. I have been able to
> successfully do a Kerberos login by manually running the kinit command on
> the external machine then starting the client. However, our goal is to not
> require the user to run kinit.
>
> I have been able to programmatically login using a keytab file using
> method loginUserFromKeytab from class
> org.apache.hadoop.security.UserGroupInformation. This is very useful.
> However, we also want to see if we can not require the use of a keytab file
> and allow the user to enter a password into the UI for our YARN client.
>
> Essentially I would like to write a “loginUserWithPassword” method. I can
> see that this would require creating a
> javax.security.auth.login.LoginContext with my own callback handler.
>
> Reading the UserGroupInformation source code I see that a LoginContext
> needs to be built with a “HadoopConfiguration” which is a private static
> class inside UserGroupInformation. This class is too difficult to duplicate
> in my own code since it has too many dependencies on other private details
> in class UserGroupInformation plus dependencies on other non-public classes
> in the org.apache.hadoop.security package.
>
> Does any one know how I could do a programmatic Kerberos login with a
> password? Or perhaps access a HadoopConfiguration?
>
> Thanks,
>
> Geoff
>
>
>




-- 
Best Wishes!

Yours, Zesheng