Service Ticket in Kerberos - Hadoop security

I am trying to secure my hadoop cluster using kerberos. I am able to generate TGT using kinit command. But beyond that I am stucked up.

1) I would like to know what is meant by 'serviceTicket' in reality. (Not as a description); Using which command/code we can make use of service ticket?

2) What is the use of '.keyTab' file and '.keyStore' file?

Hadoop-Kerberos story

1. User sends an authentication request to the KDC using kinit command.

2. The KDC sends back an encrypted ticket.

3. User decrypts the ticket by providing his password.

4. Now authenticated, User sends a request for a service ticket.

5. KDC validates the ticket and sends back a service ticket.

6. User presents the service ticket to hdfs@KERBEROS.com.

7. hdfs@KERBEROS.com decrypts the ticket, validating the User’s identity

In the 4th step , 'requesting for service ticket'; what does it actually mean? To get TGT, we use 'kinit' command. Similarly, what is the procedure / method to get service ticket?

My Process in detail:

• LDAP : ActiveDirectory
• Kerberos : Installed in Ubuntu
• Hadoop Cluster : Configured in Ubuntu machines with one master and one slave
• Ubuntu username : labuser

• Realm in Ubuntu : KERBEROS.COM

• The plan is to provide hadoop security with Kerberos and Active Directory

• Generated TGT(using kinit command) in Kerberos Server machine for the users present in ActiveDirectory

Next to integrate Kerberos with Ubuntu hadoop cluster, did the below,

1) Command to create Principal : addprinc -randkey namenode/labuser@KERBEROS.COM

2) Command to create keytab : xst -norandkey -k namenode.service.keytab namenode/labuser@KERBEROS.COM (or) ktadd -k namenode.service.keytab namenode/labuser@KERBEROS.COM

3) Added properties in hadoop configuration files with resp., to Kerberos.

• Staring hadoop cluster, we get to know that Login gets successfull for all the services (Namenode,Datanode,Resource Manager and Node Manager).

  • Log info:INFO org.apache.hadoop.security.UserGroupInformation: Login successful for user dn/labuser@KERBEROS.COM using keytab file * /home/labuser/hadoopC/etc/hadoop/dn.service.keytab

• Yet Hadoop cluster is not started , with failure in,

  • DataNode(java.lang.RuntimeException: Cannot start secure cluster without privileged resources)

  • NameNode(java.io.FileNotFoundException: /home/labuser/.keystore (No such file or directory))

Please suggest whether the above Kerberos process require any change? If yes, please justify

The kerberos API will get the service ticket automatically if the protocol for the service is kerberos enabled.

The server needs the secret key corresponding to hdfs@KERBEROS.com in a keytab file that it can read to decrypt any incoming connections. Generally, you create this using the kadmin command and install the secret in the keytab file using the appropriate utility ( it's different for different versions of kerberos source code.)

Generally, once you have kinit'd as a client, you will never need to run another explict kerberos command to obtain service tickets, PROVIDING all the servers and clients are configured correctly. That's kind of the whole point of kerberos.

If you really want to obtain a service ticket for testing, you can use the kvno command.

http://web.mit.edu/kerberos/krb5-1.13/doc/user/user_commands/kvno.html