(and I realize kerberos doesn't do groups) On Mon, Jul 18, 2016 at 12:05 PM, Todd Grayson <tgray...@cloudera.com> wrote:
> Aneela, > > HDFS supports the use of the \L lowercase "macro". This is implemented > through the HDFS auth_to_local rules, it can be applied using the > additional rules if within the CDH. The relationship for kebreros from > hadoop (for a major portion of the platform) traverses the java JGSS > implementation + hadoop security core classes. (Might be the better thread > to shift to if you need deeper discussion?) > > This is described in the apache hadoop upstream Jira HADOOP-10556 > > But I agree discussion the approach on getting agreement on the structure > of username, uppercase/lowercase and group name in general is something to > be having. > > > On Mon, Jul 18, 2016 at 9:41 AM, Brandon Allbery <ballb...@sinenomine.net> > wrote: > >> While I can’t give you details, it sounds like you want to change the web >> application to use SPNEGO to do Kerberos authentication with a user; this >> gives you a credential that you can then use to authenticate to Hadoop. >> >> From: Aneela Saleem <ane...@platalytics.com> >> Date: Monday, July 18, 2016 at 11:13 >> To: Brandon Allbery <ballb...@sinenomine.net> >> Cc: "kerberos@mit.edu" <kerberos@mit.edu> >> Subject: Re: Login usecase >> >> Thanks Brandon for your response. >> >> Actually, My use-case is that I have a web application that authenticates >> a user. Then user calls my backend services written in java to interact >> with hadoop cluster. My hadoop cluster is kerberos-enabled. I need to >> authenticate this user using my java code. I am able to login using keytab >> files, but i did not get someway to login using password. For logging in >> using keytab files, we need to place keytab files for all the system users >> on all the hosts from where we can access our hadoop cluster. So this is >> the main drawback. And as you say logging using keytab files is not >> appropriate then how can we achieve this objective? >> >> Thanks >> >> On Mon, Jul 18, 2016 at 7:45 PM, Brandon Allbery <ballb...@sinenomine.net >> <mailto:ballb...@sinenomine.net>> wrote: >> You are going to have to describe what you are trying to do in more >> detail. Keytabs are not normally used for this purpose, except in the case >> of automated procedures (e.g. cron) that need to log in to a service as if >> they are a user. Perhaps you have confused keytabs (“passwords” on disk) >> with ccaches (ephemeral service credentials, which may or may not be on >> disk and typically expire in a relatively short time)? >> >> On 7/17/16, 16:04, "kerberos-boun...@mit.edu<mailto: >> kerberos-boun...@mit.edu> on behalf of Aneela Saleem" < >> kerberos-boun...@mit.edu<mailto:kerberos-boun...@mit.edu> on behalf of >> ane...@platalytics.com<mailto:ane...@platalytics.com>> wrote: >> >> Hi all, >> >> If a user logs into any kerberized Application, using Krb5LoginModule, >> there is a function loginFromKeyTab. Client should have the key tab >> file to >> login to application. But I think this is very insecure way of login. >> Anyone who cloud access your key tab file then login to application. >> Is >> there any appropriate way to login to system. I don't understand How >> to do >> this. I'm stuck >> >> Thanks >> ________________________________________________ >> Kerberos mailing list Kerberos@mit.edu<mailto: >> Kerberos@mit.edu> >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> >> ________________________________________________ >> Kerberos mailing list Kerberos@mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > > > > -- > Todd Grayson > Business Operations Manager > Customer Operations Engineering > Security SME > > -- Todd Grayson Business Operations Manager Customer Operations Engineering Security SME ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
