hadoop-common-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject RE: Configure Hadoop Kerberos to authenticate LDAP users
Date Sun, 19 Jun 2016 11:20:01 GMT
I don’t aware a clear solution for this if you use MIT Kerberos KDC or other Kerberos products,
your problem isn’t related to Hadoop at all, your basic problem is how you make it to allow
your LDAP users to authenticate via Kerberos, without account sync up between your LDAP and
the KDC backend. If you can get this work, then your LDAP users can do kinit and then access
Hadoop cluster normally.

So to solve the problem, according to what KDC is used, you may query the corresponding vendor,
like MIT KDC. Particularly for MIT KDC, I don’t know it supports well to customize and plugin
your own backend. The existing LDAP backend may imply some krb5 schema and at least you need
to populate your LDAP entries to it.

For Apache Kerby, it also provides a KDC server and does support customizing your own backend
implementation, say, against your existing LDAP server. That means, you provide an abstraction
or bridge between the KDC server and your LDAP server.

Basically, the delegation or bridge abstraction for your LDAP may be work for you, depending
on how it’s successful to do the mapping or how could you provide the basic and necessary
information for the Kerberos logic by querying your LDAP entries. The basic ones are like:
1) how to determine the principal realm? Is it available in your LDAP database? 2) how to
determine the encryption keys? Do you have password? If you do, it means you may need to transform
password to Kerberos keys dynamically.

An ideal way could be like, your LDAP users are authenticated usually regardless of Kerberos.
And the authenticated result could be represented in a token and the token can then be recognized
by Kerberos KDC as credential (only doable in Kerby KDC), or the token could be used directly
to access Hadoop cluster (long desired, but not possible at the moment).

Regards,
Kai

From: Aneela Saleem [mailto:aneela@platalytics.com]
Sent: Sunday, June 19, 2016 5:08 PM
To: user@hadoop.apache.org
Subject: Configure Hadoop Kerberos to authenticate LDAP users

Hi all,

I have configured Kerberos on Hadoop cluster which successfully authenticates users that reside
in Kerberos database. Now i want to make Hadoop Kerberos to authenticate LDAP users directly
instead of local users. I've been looking it for days but didn't find the correct direction.
I followed this<http://web.mit.edu/kerberos/krb5-1.13/doc/admin/advanced/ldapbackend.html#ldap-be-ubuntu>
but this only adds he principals to LDAP (i don't want this) but i just need to authenticate
already existing LDAP users while accessing Hadoop through Kerberos. I also considered this<http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.2/bk_Security_Guide/content/kerb-oneway-trust.html>
but i don't know how to do this on my ubuntu machine. Suitable response and guidance would
be highly appreciated.

Thanks
Mime
View raw message