Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

after enabling kerberos even users is able to access the service without ticket

Highlighted

after enabling kerberos even users is able to access the service without ticket

I have enabled kerberos using existing MIT KDC successfully but when I try to access the services without using the tickets it get accessed . I did sudo su hdfs then executed command hdfs dfs -ls /user . and it got listed in the kerberized environment .

Thanks

1 REPLY 1

Re: after enabling kerberos even users is able to access the service without ticket

Mentor

@Anurag Mishra

Once you enable Kerberos through Ambari the services are restarted and in the background kinit is run for the application users should have valid tickets else the cluster won't start.

To validate check if user hdfs has a valid kerberos ticket

# su - hdfs
$ klist

You should see an output like below, which show hdfs has a valid kerberos ticket and can run all hdfs commands

Ticket cache: FILE:/tmp/krb5cc_507
Default principal: hdfs-London@TEST.COM
Valid starting     Expires            Service principal
06/28/18 22:57:11  06/29/18 22:57:11  krbtgt/TEST.COM@TEST.COM 		renew until 06/28/18 22:57:11
06/28/18 22:57:11  06/29/18 22:57:11  HTTP/london.TEST.COM@TEST.COM	renew until 06/28/18 22:57:11
06/28/18 22:57:11  06/29/18 22:57:11  HTTP/london.TEST.COM@TEST.COM 	renew until 06/28/18 22:57:11

To prove that Kerberos wont allow user hdfs to run any service in the cluster lets destroy the current ticket as hdfs run

$ kdestroy

Now if you run the previous klist command the output should be different , the below command which run previous successfully will fail with Kerberos error

$ hdfs dfs -ls /

Now to grab a valid ticket the user hdfs has to kinit

$ kinit -kt /etc/security/keytabs/hdfs.headless.keytab  hdfs-London@TEST.COM@TEST.COM

Where kinit -kt {hdfs_keytab} {hdfs_principal} to get the principal of an paticular keytab you will need to run

$ klist -kt  /path/to/keytab

The output will give you the principal of that keytab.

Please don't forget to vote a helpful answer and accept the best answer.

HTH