Support Questions
Find answers, ask questions, and share your expertise
Announcements
Check out our newest addition to the community, the Cloudera Innovation Accelerator group hub.

Basic Kerberos Question

Hello,

Once we get authentication from Kerberos for the my userID, how does kerberos know what are the services I can use ? Does it provide access based on Realm? Realm needs to bind with services?

2 REPLIES 2

@Anpan K

Kerberos does not know what services you can or not use. This question of what resources you are allowed to access is answered by Ranger (or the authorization layer)

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

The Kerberos infrastructure does not know what services are available to a particular user. Its job is to provide authentication information. It is then up to the service to determine whether that authenticated user is allowed to perform the requested operation.

That said, each service that wants to allow for Kerberos authentication needs to have a service principal setup in the/a KDC. The service may have a different realm then the realm for the user; however, a trust relationship will need to be set up between the relevant KDCs so that the service will be able to validate the service ticket provided by the user.

In a nutshell, once the user has as Kerberos ticket (via kinit), that user may request access to some service - typically using some client application. For example, curl, hdfs client, etc. The client application will use the user's Kerberos ticket and some service's principal name to request a service ticket from the KDC. The KDC will hand the client application the service ticket, which is then passed to the service. The service send the service ticket back to the KDC for validation. If valid, the service will trust the data and retrieve the user's principal from it. Sometimes the user's principal is used as-is or translated using configured auth-to-local rules into some local username. In either case, the service will somehow determine authorization. For example, using Ranger.