Login usecase

Todd Grayson tgrayson at cloudera.com
Mon Jul 18 14:05:48 EDT 2016 

Aneela,

HDFS supports the use of the \L lowercase "macro".  This is implemented
through the HDFS auth_to_local rules, it can be applied using the
additional rules if within the CDH.   The relationship for kebreros from
hadoop (for a major portion of the platform) traverses the java JGSS
implementation + hadoop security core classes. (Might be the better thread
to shift to if you need deeper discussion?)

This is described in the apache hadoop upstream Jira HADOOP-10556

But I agree discussion the approach on getting agreement on the structure
of username, uppercase/lowercase and group name in general is something to
be having.


On Mon, Jul 18, 2016 at 9:41 AM, Brandon Allbery <ballbery at sinenomine.net>
wrote:

> While I can’t give you details, it sounds like you want to change the web
> application to use SPNEGO to do Kerberos authentication with a user; this
> gives you a credential that you can then use to authenticate to Hadoop.
>
> From: Aneela Saleem <aneela at platalytics.com>
> Date: Monday, July 18, 2016 at 11:13
> To: Brandon Allbery <ballbery at sinenomine.net>
> Cc: "kerberos at mit.edu" <kerberos at mit.edu>
> Subject: Re: Login usecase
>
> Thanks Brandon for your response.
>
> Actually, My use-case is that I have a web application that authenticates
> a user. Then user calls my backend services written in java to interact
> with hadoop cluster. My hadoop cluster is kerberos-enabled. I need to
> authenticate this user using my java code. I am able to login using keytab
> files, but i did not get someway to login using password. For logging in
> using keytab files, we need to place keytab files for all the system users
> on all the hosts from where we can access our hadoop cluster. So this is
> the main drawback. And as you say logging using keytab files is not
> appropriate then how can we achieve this objective?
>
> Thanks
>
> On Mon, Jul 18, 2016 at 7:45 PM, Brandon Allbery <ballbery at sinenomine.net
> <mailto:ballbery at sinenomine.net>> wrote:
> You are going to have to describe what you are trying to do in more
> detail. Keytabs are not normally used for this purpose, except in the case
> of automated procedures (e.g. cron) that need to log in to a service as if
> they are a user. Perhaps you have confused keytabs (“passwords” on disk)
> with ccaches (ephemeral service credentials, which may or may not be on
> disk and typically expire in a relatively short time)?
>
> On 7/17/16, 16:04, "kerberos-bounces at mit.edu<mailto:
> kerberos-bounces at mit.edu> on behalf of Aneela Saleem" <
> kerberos-bounces at mit.edu<mailto:kerberos-bounces at mit.edu> on behalf of
> aneela at platalytics.com<mailto:aneela at platalytics.com>> wrote:
>
>     Hi all,
>
>     If a user logs into any kerberized Application, using Krb5LoginModule,
>     there is a function loginFromKeyTab. Client should have the key tab
> file to
>     login to application. But I think this is very insecure way of login.
>     Anyone who cloud access your key tab file then login to application. Is
>     there any appropriate way to login to system. I don't understand How
> to do
>     this. I'm stuck
>
>     Thanks
>     ________________________________________________
>     Kerberos mailing list           Kerberos at mit.edu<mailto:
> Kerberos at mit.edu>
>     https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

More information about the Kerberos mailing list