Support Questions

roshanbi · ‎06-10-2021

Hello Team,

We have scheduled the command below

kinit -R -kt /opt/striim/streamset.keytab streamset/RB-HADOOP-03@INNOV.LOCAL

Does this refresh the ticket?

We have an ETL tool that will replicate data to Kudu. The user on the ETL tool will receive authentication keys and save this in "keytab"? then Ranger will allocate this user a ticket? How do we analyze this ticket? What is its purpose?

Thanks,

Roshan

vidanimegh · ‎06-14-2021

Hi @roshanbi ,

How is the keytab generated?

The keytabs can be generated using ktutil command.

can you please explain the flow of authentication using Ranger?

Ranger is used for authorization and not authentication. This happens through plugins such as, HDFS plugin, Hive Plugin, YARN plugin, Kafka Plugin, etc.

e.g. for HDFS, the high level flow is something like this:

Whenever an HDFS operation is received from an HDFS client, it is first authenticated with Kerberos to check whether the kerberos principal holds a valid ticket.
After successful authentication, the request is forwarded to Ranger HDFS plugin to check whether there is a policy existing in Ranger to allow this principal to access the resource being requested.
After the authorization is successful, namenode performs the requested operation.

The role of Principal,tickets and authentication key?

The principal is equivalent to a user

Tickets are issued for a period of 8 hours so that users do not have to authenticate using a password for each individual request.

Not sure what you mean by authentication key in this context.

Thanks,

Megh

View solution in original post

vidanimegh · ‎06-10-2021

Hi @roshanbi ,

You can check with klist if the keytab file actually contains proper credentials.

klist -kt /opt/striim/streamset.keytab

if the output of this command shows "streamset/RB-HADOOP-03@INNOV.LOCAL" as principal, then the kinit command will refresh the ticket for this principal.

By default, Kerberos tickets are valid for 8 hours, so you should schedule the kinit command to renew the ticket every 8 hours.

Thanks,

Megh

roshanbi · ‎06-11-2021

Hi @vidanimegh

thanks for the update.

How is the keytab generated?

can you please explain the flow of authentication using Ranger? The role of Principal,tickets and authentication key?

Regards,

Roshan

vidanimegh · ‎06-14-2021

Hi @roshanbi ,

How is the keytab generated?

The keytabs can be generated using ktutil command.

can you please explain the flow of authentication using Ranger?

Ranger is used for authorization and not authentication. This happens through plugins such as, HDFS plugin, Hive Plugin, YARN plugin, Kafka Plugin, etc.

e.g. for HDFS, the high level flow is something like this:

Whenever an HDFS operation is received from an HDFS client, it is first authenticated with Kerberos to check whether the kerberos principal holds a valid ticket.
After successful authentication, the request is forwarded to Ranger HDFS plugin to check whether there is a policy existing in Ranger to allow this principal to access the resource being requested.
After the authorization is successful, namenode performs the requested operation.

The role of Principal,tickets and authentication key?

The principal is equivalent to a user

Tickets are issued for a period of 8 hours so that users do not have to authenticate using a password for each individual request.

Not sure what you mean by authentication key in this context.

Thanks,

Megh

roshanbi · ‎06-14-2021

Thanks a lot for the info