Created on 01-12-2016 10:19 PM - edited 09-16-2022 02:56 AM
Beginner question on Kerberos authentication for hadoop cluster.
Our cluster uses a Edge node for submitting any Oozie/Hive/SQoop jobs to the cluster. In core-site.xml file I saw that the kerberos authentication was enabled using hadoop.security.authentication property. Since kerberos is enabled I thought we need Kerberos tickets for any edge node to cluster communication or atleast till we get delegation tokens. But I am able to submit jobs (Sqoop job from oozie) in Hadoop cluster from my ID without even getting a kerberos ticket and job ran successfully. (Irrespective of having an edge node or not in cluster kerberos ticket is required correct?)
How does this work even without a kerberos ticket? Can someone please explain?
And I also read that kerberos can be integrated with LDAP for storing passwords. When I login to edge node (running linux) and checked klist, it shows a kerberos key with corporate realm. How do they setup to get a kerberos ticket by default when you login? I could not see kinit command in /etc/profile file.
And even if this default ticket is obtained, I think it may not be enough to run jobs on hadoop cluster since hadoop cluster is in a different realm and the default key is for a different realm. So I am confused with this security basics on why my job is running without getting a key and how do I get a default key (for a different realm) when I login?
This question may be naive, it would be helpful if you could explain or point me to right article or book that explains the security details.
Created 01-12-2016 10:24 PM
Your edge node is integrated with AD/LDAP using nslcd or sssd or vas thats authenticating your id against LDAP.
"But I am able to submit jobs (Sqoop job from oozie) in Hadoop cluster from my ID without even getting a kerberos ticket and job ran successfully." oozie user got ticket for sqoop job
Created 01-12-2016 10:24 PM
Your edge node is integrated with AD/LDAP using nslcd or sssd or vas thats authenticating your id against LDAP.
"But I am able to submit jobs (Sqoop job from oozie) in Hadoop cluster from my ID without even getting a kerberos ticket and job ran successfully." oozie user got ticket for sqoop job
Created 01-12-2016 11:01 PM
Thanks for the quick reply.
oozie is also submitted using my id only. Just now something struck me, when I do klist after loggin in, the service principal starts with "krbtgt/". Is it a ticket granting ticket and not the ticket itself?
I need kerberos ticket irrespective for any interaction with kerberos protected servers right? (irrespective of edge node being in cluster or not). oozie is also running in my id, how did it run without a ticket? I see other prod scripts using kinit -kt explicity to get a ticket. why is my script running without a ticket?
Created 01-13-2016 01:28 PM
The KRBTGT account is a local default account that acts as a service account for the Key Distribution Center (KDC) service. This account cannot be deleted, and the account name cannot be changed. The KRBTGT account cannot be enabled in Active Directory Source
Yes, you do need ticket from KDC "authentication"
Created 01-14-2016 05:57 PM
If you were logged in via kerberos when you submit work, they usually pick up your credentials, then request hadoop tokens off the various services.
Try using "kdestroy" to remove your kerberos tickets and repeating your operations, to see what happens then