Support Questions
Find answers, ask questions, and share your expertise

granting services access in kerberized cluster without keytab

I want to create a user who can access the HDP services in the kerberized cluster without creating keytab for this user . Is there any way we can do so , is there way to by pass kerberos security ?



@Anurag Mishra

Your request to bypass Kerberos beats the reason why in the first place a cluster is kerberized. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. ... It provides the tools of authentication and strong cryptography over the network to help you secure your information systems across your entire enterprise, in short, its like a biometric passport you the client/user presents your passport and the KDC validates it against the signature database and once it passes you get the ticket to do business on the cluster. In the first place, why would you give access to a user/service that isn't authorized? Here is how it works How it Works?


There is no way you can grant access to a kerberized cluster without using a keytab. The only work around would be if you are using AD for authentication you can create a service account keytab and give permission to a group to which this user is a member

Step1: When the user logins to his or her machine. The principal is sent to KDC server for login, and the KDC server will provide TGT in return(this request to the KDC server can be sent by the login program or we can also use kinit program).

Step2: Kdc server searches the principal name in the database, on finding the principal, a TGT is generated by the KDC, which will be encrypted by the users key, and send back to the user.

Step3: When the user gets the TGT, the user decrypts the TGT with the help of KINIT(with help of the users key). An important fact to note here is that the client machine stores its key on its own machine only and this is never transmitted over the wire.

Step4: The TGT received by the client from the KDC server will be stored in the cache for use for the session duration. There will always be an expiration time set on the TGT offered by the KDC server so that an expired TGT can never be used by an attacker.

Step5: Now the client has got TGT in hand. If suppose the client needs to communicate with some service on that network, the client will ask the KDC server, for a ticket for that specific service with the help of TGT.




@Anurag Mishra

Any updates

; ;