[37585] in Kerberos
Re: Login usecase
daemon@ATHENA.MIT.EDU (Todd Grayson)
Mon Jul 18 14:07:23 2016
MIME-Version: 1.0
In-Reply-To: <CALNT6MWJu6iVPv-z90Tg7cUhtxuH+vxKTwCOYzYA-3r+5HoRvA@mail.gmail.com>
From: Todd Grayson <tgrayson@cloudera.com>
Date: Mon, 18 Jul 2016 12:06:53 -0600
Message-ID: <CALNT6MVUW4jtihUvre1r6mu4+vD2Wy3teXhiNHKEJVyyQEKVvw@mail.gmail.com>
To: Brandon Allbery <ballbery@sinenomine.net>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>,
Aneela Saleem <aneela@platalytics.com>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
(and I realize kerberos doesn't do groups)
On Mon, Jul 18, 2016 at 12:05 PM, Todd Grayson <tgrayson@cloudera.com>
wrote:
> Aneela,
>
> HDFS supports the use of the \L lowercase "macro". This is implemented
> through the HDFS auth_to_local rules, it can be applied using the
> additional rules if within the CDH. The relationship for kebreros from
> hadoop (for a major portion of the platform) traverses the java JGSS
> implementation + hadoop security core classes. (Might be the better thread
> to shift to if you need deeper discussion?)
>
> This is described in the apache hadoop upstream Jira HADOOP-10556
>
> But I agree discussion the approach on getting agreement on the structure
> of username, uppercase/lowercase and group name in general is something to
> be having.
>
>
> On Mon, Jul 18, 2016 at 9:41 AM, Brandon Allbery <ballbery@sinenomine.net>
> wrote:
>
>> While I can’t give you details, it sounds like you want to change the web
>> application to use SPNEGO to do Kerberos authentication with a user; this
>> gives you a credential that you can then use to authenticate to Hadoop.
>>
>> From: Aneela Saleem <aneela@platalytics.com>
>> Date: Monday, July 18, 2016 at 11:13
>> To: Brandon Allbery <ballbery@sinenomine.net>
>> Cc: "kerberos@mit.edu" <kerberos@mit.edu>
>> Subject: Re: Login usecase
>>
>> Thanks Brandon for your response.
>>
>> Actually, My use-case is that I have a web application that authenticates
>> a user. Then user calls my backend services written in java to interact
>> with hadoop cluster. My hadoop cluster is kerberos-enabled. I need to
>> authenticate this user using my java code. I am able to login using keytab
>> files, but i did not get someway to login using password. For logging in
>> using keytab files, we need to place keytab files for all the system users
>> on all the hosts from where we can access our hadoop cluster. So this is
>> the main drawback. And as you say logging using keytab files is not
>> appropriate then how can we achieve this objective?
>>
>> Thanks
>>
>> On Mon, Jul 18, 2016 at 7:45 PM, Brandon Allbery <ballbery@sinenomine.net
>> <mailto:ballbery@sinenomine.net>> wrote:
>> You are going to have to describe what you are trying to do in more
>> detail. Keytabs are not normally used for this purpose, except in the case
>> of automated procedures (e.g. cron) that need to log in to a service as if
>> they are a user. Perhaps you have confused keytabs (“passwords” on disk)
>> with ccaches (ephemeral service credentials, which may or may not be on
>> disk and typically expire in a relatively short time)?
>>
>> On 7/17/16, 16:04, "kerberos-bounces@mit.edu<mailto:
>> kerberos-bounces@mit.edu> on behalf of Aneela Saleem" <
>> kerberos-bounces@mit.edu<mailto:kerberos-bounces@mit.edu> on behalf of
>> aneela@platalytics.com<mailto:aneela@platalytics.com>> wrote:
>>
>> Hi all,
>>
>> If a user logs into any kerberized Application, using Krb5LoginModule,
>> there is a function loginFromKeyTab. Client should have the key tab
>> file to
>> login to application. But I think this is very insecure way of login.
>> Anyone who cloud access your key tab file then login to application.
>> Is
>> there any appropriate way to login to system. I don't understand How
>> to do
>> this. I'm stuck
>>
>> Thanks
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu<mailto:
>> Kerberos@mit.edu>
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
>
> --
> Todd Grayson
> Business Operations Manager
> Customer Operations Engineering
> Security SME
>
>
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
