Sorry Dominique for the late reply. For components like hadoop servers or hbase servers , currently it requires a keytab file to authenticate with KDC and obtain TGT. So AFAIK , the authentication between Hadoop/hbase server and KDC cannot use certificate.
cheers. Benoy On Fri, Apr 6, 2018 at 6:01 AM, Dominique De Vito <[email protected]> wrote: > Hi Antony, > > Thanks for you answer. > > > Though I have not used a certificate for authentication, I had used a > 2FA based kerberos authentication. Instead of password , it was Pin and a > token. > > Well, human-client authentication is one point, and thank you for > confirming it runs with other authentication forms than login/password > scheme. > > The other point (AFAIU) is Hadoop-component-client authentication <= the > second kind of clients. > > To be more precise, I have __no__ idea how an HBase region server > component is using the "keytab" file (on its node) to authenticate itself > towards the KDC. > > And if it's some __Java__ library that is reading and using the "keytab" > file, I don't know if this Java library could use certificate too for > Kerberos authentication. > > If you have any thought about this subject (Hadoop-component-client > authentication with certificated-based Kerberos authentication, I will > happy to read them. > > Thanks. > > Regards, > Dominique > > > > > > > 2018-04-06 2:56 GMT+02:00 Benoy Antony <[email protected]>: > >> Hi Dominique, >> >> It should work. This is because the authentication mechanism (password or >> certificate) is between the client and KDC (kerberos server). Hadoop never >> knows about the password or certificate. The Hadoop servers receive a >> service ticket from the client. Client obtains service ticket from KDC. >> Thus the authentication mechanism ((password or certificate) is between >> the client and KDC. >> >> Though I have not used a certificate for authentication, I had used a 2FA >> based kerberos authentication. Instead of password , it was Pin and a >> token. >> The process was like this >> >> >kinit username >> >> Enter pin and token >> >> > hadoop fs -ls >> >> >> >> >> >> On Mon, Mar 26, 2018 at 6:36 AM, Dominique De Vito <[email protected]> >> wrote: >> >>> Hi, >>> >>> Well, Hadoop with authentication works with login/password-pattern >>> Kerberos . >>> >>> However, Kerberos could work with certicate-based authentication too. >>> >>> Is Hadoop supporting Kerberos authentication with certificate? >>> To be more precise (or straight to the point, if you want): is Hadoop >>> working when using certificate-based Kerberos authentication ? >>> >>> Is there any Hadoop cluster out there running with certificate-based >>> Kerberos authentication? >>> >>> Thanks. >>> >>> Regards, >>> Dominique >>> >>> >> >
