Support Questions

Find answers, ask questions, and share your expertise

limits between Kerberos and Ranger for authorizations

avatar
Explorer

Hi,

I am wondering about which authorization-related module is doing exactly what.

So my view = at first glance, at high level:

1) Kerberos : does authentication

2) Ranger: does authorization

So, Kerberos role:

1.a) a client requests Kerberos and gets (in return) a Ticket Granting Ticket (TGT)

1.b) and, next, the same client uses the Ticket Granting Ticket (TGT) to get (in return) a TS (Ticket Service) for a __given__ service.

Next step : Ranger is used for authorization.

But (1.b) looks like some kind of authorization to me... even before Ranger comes into the game...

Because if a client gets a TS (Ticket Service) for a __given__ service, then one could see that as "ok, the client is __authorized__ for the __request__ service".at a high-level (while Ranger gives low-level authorizations)


So, it looks like Kerberos could be seen as doing things in the "authorization" league, while Ranger operates too in the same league, but at a lower-level.

Option_1 : Kerberos is authorizing, or not, access to a given service from such or such client while granting, or not, a TS (Ticket Service)

=> is it the case ? is Kerberos doing this bit of authorization (giving, or not, a TS) ?

Then, is Kerberos configured to do so through Ambari ?

Option_2 : Kerberos is giving a TS (Ticket Service) for __any__ service

And it is not a problem, because, in the next steps, Ranger is filtering access throught its authorization configuration. And then, Kerberos is only doing authentication, while Ranger is doing authorization.

Does anybody know if which option (Option_1 or Option_2) is valid ?

Thanks.

1 ACCEPTED SOLUTION

avatar
Super Collaborator

Kerberos is really just doing authentication, not authorization. But it authenticates as well the service and not only the user. The TS is only valid when the service has the correct keytab (or TGT).

It is possible that a TS is not granted because either the TGT is not valid or the service requested for is not known to the KDC.

View solution in original post

3 REPLIES 3

avatar
Super Collaborator

Kerberos is really just doing authentication, not authorization. But it authenticates as well the service and not only the user. The TS is only valid when the service has the correct keytab (or TGT).

It is possible that a TS is not granted because either the TGT is not valid or the service requested for is not known to the KDC.

avatar
Explorer

Thanks Harald for your quick answer.

While reading it, I understand the following :

1) as soon as the TGT is valid

2) and also, if the requested service has been also authenticated,

then the TS is granted...

So, (1) is about client authentication and (2) is about service authentication.

And then, (2) is not about authorization as I understood previously (see my first post).

Is my understanding of your sentences correct ?

Thanks

avatar
Super Collaborator

Hi Dominique, yes thats correct.