hadoop-hdfs-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Praveen Sripati <praveensrip...@gmail.com>
Subject Kerberos service token vs Service ticket
Date Wed, 28 Dec 2011 16:55:11 GMT

According to the `Hadoop : The Definitive Guide`

>A delegation token is generated by the server (the NameNode in this case),
and can be thought of as a shared secret between the client and the server.
On the first RPC call to the NameNode, the client has no delegation token,
so it uses Kerberos to authenticate, and as a part of the response it gets
a delegation token from the NameNode. In subsequent calls, it presents the
delegation token, which the NameNode can verify (since it generated it
using a secret key), and hence the client is authenticated to the server.

Once the TGS (Ticket Granting Server) gives a service ticket to the Client
for the NameNode, the service ticket can be used again and again to invoke
the service without contacting the KDC (Key Distribution Center) till the
service ticket expires. Then what is the advantage of the delegation token
over the Kerberos service ticket for accessing the NameNode?


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message