Hi,
I am wondering about which authorization-related module is doing exactly what.
So my view = at first glance, at high level:
1) Kerberos : does authentication
2) Ranger: does authorization
So, Kerberos role:
1.a) a client requests Kerberos and gets (in return) a Ticket Granting Ticket (TGT)
1.b) and, next, the same client uses the Ticket Granting Ticket (TGT) to get (in return) a TS (Ticket Service) for a __given__ service.
Next step : Ranger is used for authorization.
But (1.b) looks like some kind of authorization to me... even before Ranger comes into the game...
Because if a client gets a TS (Ticket Service) for a __given__ service, then one could see that as "ok, the client is __authorized__ for the __request__ service".at a high-level (while Ranger gives low-level authorizations)
So, it looks like Kerberos could be seen as doing things in the "authorization" league, while Ranger operates too in the same league, but at a lower-level.
Option_1 : Kerberos is authorizing, or not, access to a given service from such or such client while granting, or not, a TS (Ticket Service)
=> is it the case ? is Kerberos doing this bit of authorization (giving, or not, a TS) ?
Then, is Kerberos configured to do so through Ambari ?
Option_2 : Kerberos is giving a TS (Ticket Service) for __any__ service
And it is not a problem, because, in the next steps, Ranger is filtering access throught its authorization configuration. And then, Kerberos is only doing authentication, while Ranger is doing authorization.
Does anybody know if which option (Option_1 or Option_2) is valid ?
Thanks.
