Hi, I have not yet kerberized my Hadoop cluster yet. But, I am wondering about keytab (content). Originally, I thought a keytab entry is just 1..to..N couples (principal name, secret key unencrypted). But, recently, while trying to validate that point of view, I have read, here for example, that the secret key is stored encrypted. So, it means then that there should be somewhere a master key to store the keytab's secret in an encrypted form. So, my (simple) questions: - How a secret key is stored inside a keytab ? raw (uncrypted) ? encrypted ? - If stored encrypted, what is the master key to crypt keytab's secret ? Thanks. ... View more

In most examples, Knox is presented as a gateway to a secure Hadoop cluster, with Kerberos-based security I mean. does Knox work as a gateway with an UNsecure Hadoop cluster (that is, with default Hadoop security) ? Is Knox able to offer SSO in that case ? Thanks ... View more

Hi, Ranger collects audit log through its plugins. Does Ranger audit itself also? I mean: does Ranger produce an audit log when an admin account is, for example, creating a new user, or is modifying associated role? More generally, are all admin tasks through Ranger UI producing an audit log? Thanks ... View more

Hi, Why the need to map Kerberos principals to usernames (and groups too) ? AFAIU, it's all about getting (from a principal) a username and a group to match (next) with HDFS authorizations and to determine if a Kerberos principal is authorized, or not, to access a HDFS resource. So my question is simple: is there another need for such Kerberos/username and Kerberos/group mapping? Thanks. Regards, Dominique ... View more

Hi, I am wondering about which authorization-related module is doing exactly what. So my view = at first glance, at high level: 1) Kerberos : does authentication 2) Ranger: does authorization So, Kerberos role: 1.a) a client requests Kerberos and gets (in return) a Ticket Granting Ticket (TGT) 1.b) and, next, the same client uses the Ticket Granting Ticket (TGT) to get (in return) a TS (Ticket Service) for a __given__ service. Next step : Ranger is used for authorization. But (1.b) looks like some kind of authorization to me... even before Ranger comes into the game... Because if a client gets a TS (Ticket Service) for a __given__ service, then one could see that as "ok, the client is __authorized__ for the __request__ service".at a high-level (while Ranger gives low-level authorizations) So, it looks like Kerberos could be seen as doing things in the "authorization" league, while Ranger operates too in the same league, but at a lower-level. Option_1 : Kerberos is authorizing, or not, access to a given service from such or such client while granting, or not, a TS (Ticket Service) => is it the case ? is Kerberos doing this bit of authorization (giving, or not, a TS) ? Then, is Kerberos configured to do so through Ambari ? Option_2 : Kerberos is giving a TS (Ticket Service) for __any__ service And it is not a problem, because, in the next steps, Ranger is filtering access throught its authorization configuration. And then, Kerberos is only doing authentication, while Ranger is doing authorization. Does anybody know if which option (Option_1 or Option_2) is valid ? Thanks. ... View more