Login usecase

Brandon Allbery ballbery at sinenomine.net
Mon Jul 18 11:41:49 EDT 2016


While I can’t give you details, it sounds like you want to change the web application to use SPNEGO to do Kerberos authentication with a user; this gives you a credential that you can then use to authenticate to Hadoop.

From: Aneela Saleem <aneela at platalytics.com>
Date: Monday, July 18, 2016 at 11:13
To: Brandon Allbery <ballbery at sinenomine.net>
Cc: "kerberos at mit.edu" <kerberos at mit.edu>
Subject: Re: Login usecase

Thanks Brandon for your response.

Actually, My use-case is that I have a web application that authenticates a user. Then user calls my backend services written in java to interact with hadoop cluster. My hadoop cluster is kerberos-enabled. I need to authenticate this user using my java code. I am able to login using keytab files, but i did not get someway to login using password. For logging in using keytab files, we need to place keytab files for all the system users on all the hosts from where we can access our hadoop cluster. So this is the main drawback. And as you say logging using keytab files is not appropriate then how can we achieve this objective?

Thanks

On Mon, Jul 18, 2016 at 7:45 PM, Brandon Allbery <ballbery at sinenomine.net<mailto:ballbery at sinenomine.net>> wrote:
You are going to have to describe what you are trying to do in more detail. Keytabs are not normally used for this purpose, except in the case of automated procedures (e.g. cron) that need to log in to a service as if they are a user. Perhaps you have confused keytabs (“passwords” on disk) with ccaches (ephemeral service credentials, which may or may not be on disk and typically expire in a relatively short time)?

On 7/17/16, 16:04, "kerberos-bounces at mit.edu<mailto:kerberos-bounces at mit.edu> on behalf of Aneela Saleem" <kerberos-bounces at mit.edu<mailto:kerberos-bounces at mit.edu> on behalf of aneela at platalytics.com<mailto:aneela at platalytics.com>> wrote:

    Hi all,

    If a user logs into any kerberized Application, using Krb5LoginModule,
    there is a function loginFromKeyTab. Client should have the key tab file to
    login to application. But I think this is very insecure way of login.
    Anyone who cloud access your key tab file then login to application. Is
    there any appropriate way to login to system. I don't understand How to do
    this. I'm stuck

    Thanks
    ________________________________________________
    Kerberos mailing list           Kerberos at mit.edu<mailto:Kerberos at mit.edu>
    https://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list