[37586] in Kerberos
Re: Login usecase
daemon@ATHENA.MIT.EDU (Aneela Saleem)
Mon Jul 18 17:58:08 2016
MIME-Version: 1.0
In-Reply-To: <CALNT6MVUW4jtihUvre1r6mu4+vD2Wy3teXhiNHKEJVyyQEKVvw@mail.gmail.com>
Date: Tue, 19 Jul 2016 01:46:23 +0500
Message-ID: <CAC1K3K_jfb5SjdAgAGVcErG4ZGGY2HUQ40Z99EWREKHMpE4Uxw@mail.gmail.com>
From: Aneela Saleem <aneela@platalytics.com>
To: Todd Grayson <tgrayson@cloudera.com>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: multipart/mixed; boundary="===============4548510537268074783=="
Errors-To: kerberos-bounces@mit.edu
--===============4548510537268074783==
Content-Type: multipart/related; boundary=001a1143fa9cb68e2b0537ef0f16
--001a1143fa9cb68e2b0537ef0f16
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Thanks Brandon and Todd,
I still have some confusions. Please guide me I'm just a beginner.
At the current stage I'm not implementing single-sign on. Here is the flow
of our application
Screenshotfrom2016-07-12171018.jpg
<https://drive.google.com/a/platalytics.com/file/d/0BytQ11DT_A8HUjhIcUU2bm1=
PSlU/view?usp=3Ddrivesdk>
User1 logged into our application through password based authentication.
After that when the user tries to access the Kerberized Hadoop cluster
it gets the authentication token from KDC, and the credential cache for
this user is stored on the client machine where the application is
running and user1 accesses the cluster. Meanwhile another user (I.e.,
user2 ) logs into the application and tries to accesses the kerberized
cluster. Now when it gets the token from KDC, will the credentials of user1
be override by the user2's credentials? If so, then how to solve this
particular scenario? I'm not getting the clear idea
Thanks
On Monday, 18 July 2016, Todd Grayson <tgrayson@cloudera.com> wrote:
> (and I realize kerberos doesn't do groups)
>
> On Mon, Jul 18, 2016 at 12:05 PM, Todd Grayson <tgrayson@cloudera.com
> <javascript:_e(%7B%7D,'cvml','tgrayson@cloudera.com');>> wrote:
>
>> Aneela,
>>
>> HDFS supports the use of the \L lowercase "macro". This is implemented
>> through the HDFS auth_to_local rules, it can be applied using the
>> additional rules if within the CDH. The relationship for kebreros from
>> hadoop (for a major portion of the platform) traverses the java JGSS
>> implementation + hadoop security core classes. (Might be the better thre=
ad
>> to shift to if you need deeper discussion?)
>>
>> This is described in the apache hadoop upstream Jira HADOOP-10556
>>
>> But I agree discussion the approach on getting agreement on the structur=
e
>> of username, uppercase/lowercase and group name in general is something =
to
>> be having.
>>
>>
>> On Mon, Jul 18, 2016 at 9:41 AM, Brandon Allbery <ballbery@sinenomine.ne=
t
>> <javascript:_e(%7B%7D,'cvml','ballbery@sinenomine.net');>> wrote:
>>
>>> While I can=E2=80=99t give you details, it sounds like you want to chan=
ge the
>>> web application to use SPNEGO to do Kerberos authentication with a user=
;
>>> this gives you a credential that you can then use to authenticate to Ha=
doop.
>>>
>>> From: Aneela Saleem <aneela@platalytics.com
>>> <javascript:_e(%7B%7D,'cvml','aneela@platalytics.com');>>
>>> Date: Monday, July 18, 2016 at 11:13
>>> To: Brandon Allbery <ballbery@sinenomine.net
>>> <javascript:_e(%7B%7D,'cvml','ballbery@sinenomine.net');>>
>>> Cc: "kerberos@mit.edu <javascript:_e(%7B%7D,'cvml','kerberos@mit.edu');=
>"
>>> <kerberos@mit.edu <javascript:_e(%7B%7D,'cvml','kerberos@mit.edu');>>
>>> Subject: Re: Login usecase
>>>
>>> Thanks Brandon for your response.
>>>
>>> Actually, My use-case is that I have a web application that
>>> authenticates a user. Then user calls my backend services written in ja=
va
>>> to interact with hadoop cluster. My hadoop cluster is kerberos-enabled.=
I
>>> need to authenticate this user using my java code. I am able to login u=
sing
>>> keytab files, but i did not get someway to login using password. For
>>> logging in using keytab files, we need to place keytab files for all th=
e
>>> system users on all the hosts from where we can access our hadoop clust=
er.
>>> So this is the main drawback. And as you say logging using keytab files=
is
>>> not appropriate then how can we achieve this objective?
>>>
>>> Thanks
>>>
>>> On Mon, Jul 18, 2016 at 7:45 PM, Brandon Allbery <
>>> ballbery@sinenomine.net
>>> <javascript:_e(%7B%7D,'cvml','ballbery@sinenomine.net');><mailto:
>>> ballbery@sinenomine.net
>>> <javascript:_e(%7B%7D,'cvml','ballbery@sinenomine.net');>>> wrote:
>>> You are going to have to describe what you are trying to do in more
>>> detail. Keytabs are not normally used for this purpose, except in the c=
ase
>>> of automated procedures (e.g. cron) that need to log in to a service as=
if
>>> they are a user. Perhaps you have confused keytabs (=E2=80=9Cpasswords=
=E2=80=9D on disk)
>>> with ccaches (ephemeral service credentials, which may or may not be on
>>> disk and typically expire in a relatively short time)?
>>>
>>> On 7/17/16, 16:04, "kerberos-bounces@mit.edu
>>> <javascript:_e(%7B%7D,'cvml','kerberos-bounces@mit.edu');><mailto:
>>> kerberos-bounces@mit.edu
>>> <javascript:_e(%7B%7D,'cvml','kerberos-bounces@mit.edu');>> on behalf
>>> of Aneela Saleem" <kerberos-bounces@mit.edu
>>> <javascript:_e(%7B%7D,'cvml','kerberos-bounces@mit.edu');><mailto:
>>> kerberos-bounces@mit.edu
>>> <javascript:_e(%7B%7D,'cvml','kerberos-bounces@mit.edu');>> on behalf
>>> of aneela@platalytics.com
>>> <javascript:_e(%7B%7D,'cvml','aneela@platalytics.com');><mailto:
>>> aneela@platalytics.com
>>> <javascript:_e(%7B%7D,'cvml','aneela@platalytics.com');>>> wrote:
>>>
>>> Hi all,
>>>
>>> If a user logs into any kerberized Application, using
>>> Krb5LoginModule,
>>> there is a function loginFromKeyTab. Client should have the key tab
>>> file to
>>> login to application. But I think this is very insecure way of logi=
n.
>>> Anyone who cloud access your key tab file then login to application=
.
>>> Is
>>> there any appropriate way to login to system. I don't understand Ho=
w
>>> to do
>>> this. I'm stuck
>>>
>>> Thanks
>>> ________________________________________________
>>> Kerberos mailing list Kerberos@mit.edu
>>> <javascript:_e(%7B%7D,'cvml','Kerberos@mit.edu');><mailto:
>>> Kerberos@mit.edu <javascript:_e(%7B%7D,'cvml','Kerberos@mit.edu');>>
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>>> ________________________________________________
>>> Kerberos mailing list Kerberos@mit.edu
>>> <javascript:_e(%7B%7D,'cvml','Kerberos@mit.edu');>
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>
>>
>>
>> --
>> Todd Grayson
>> Business Operations Manager
>> Customer Operations Engineering
>> Security SME
>>
>>
>
>
> --
> Todd Grayson
> Business Operations Manager
> Customer Operations Engineering
> Security SME
>
>
--001a1143fa9cb68e2b0537ef0f16--
--===============4548510537268074783==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============4548510537268074783==--
