securityhadoopkerberosspnmit-kerberos

Service Ticket in Kerberos - Hadoop security


I am trying to secure my hadoop cluster using kerberos. I am able to generate TGT using kinit command. But beyond that I am stucked up.

1) I would like to know what is meant by 'serviceTicket' in reality. (Not as a description); Using which command/code we can make use of service ticket?

2) What is the use of '.keyTab' file and '.keyStore' file?

Hadoop-Kerberos story

  1. User sends an authentication request to the KDC using kinit command.

  2. The KDC sends back an encrypted ticket.

  3. User decrypts the ticket by providing his password.

4. Now authenticated, User sends a request for a service ticket.

5. KDC validates the ticket and sends back a service ticket.

  1. User presents the service ticket to hdfs@KERBEROS.com.

  2. hdfs@KERBEROS.com decrypts the ticket, validating the User’s identity

In the 4th step , 'requesting for service ticket'; what does it actually mean? To get TGT, we use 'kinit' command. Similarly, what is the procedure / method to get service ticket?

My Process in detail:

Next to integrate Kerberos with Ubuntu hadoop cluster, did the below,

1) Command to create Principal : addprinc -randkey namenode/labuser@KERBEROS.COM

2) Command to create keytab : xst -norandkey -k namenode.service.keytab namenode/labuser@KERBEROS.COM (or) ktadd -k namenode.service.keytab namenode/labuser@KERBEROS.COM

3) Added properties in hadoop configuration files with resp., to Kerberos.

Please suggest whether the above Kerberos process require any change? If yes, please justify


Solution

  • The kerberos API will get the service ticket automatically if the protocol for the service is kerberos enabled.

    The server needs the secret key corresponding to hdfs@KERBEROS.com in a keytab file that it can read to decrypt any incoming connections. Generally, you create this using the kadmin command and install the secret in the keytab file using the appropriate utility ( it's different for different versions of kerberos source code.)

    Generally, once you have kinit'd as a client, you will never need to run another explict kerberos command to obtain service tickets, PROVIDING all the servers and clients are configured correctly. That's kind of the whole point of kerberos.

    If you really want to obtain a service ticket for testing, you can use the kvno command.

    http://web.mit.edu/kerberos/krb5-1.13/doc/user/user_commands/kvno.html