Hi Dominique, I think you are referring to PKINIT. This is applicable for getting initial TGT. As for region servers (and other similar components in hadoop), the principal is used in two contexts, one as a service and other as a client.
* A service to HBase Client To replace service principal with a x509 cert means to replace Kerberos as an authentication mechanism and use mutual TLS (zero cypher for no encryption) * A Client to HDFS It could be possible to do that with PKINIT. What is the value in doing this. Generally it is more complicated to run a X509 CA infra than a KDC and in general there is always a KDC in the network. On Fri, Apr 6, 2018 at 6:01 AM, Dominique De Vito <[email protected]> wrote: > Hi Antony, > > Thanks for you answer. > >> Though I have not used a certificate for authentication, I had used a 2FA >> based kerberos authentication. Instead of password , it was Pin and a token. > > Well, human-client authentication is one point, and thank you for confirming > it runs with other authentication forms than login/password scheme. > > The other point (AFAIU) is Hadoop-component-client authentication <= the > second kind of clients. > > To be more precise, I have __no__ idea how an HBase region server component > is using the "keytab" file (on its node) to authenticate itself towards the > KDC. > > And if it's some __Java__ library that is reading and using the "keytab" > file, I don't know if this Java library could use certificate too for > Kerberos authentication. > > If you have any thought about this subject (Hadoop-component-client > authentication with certificated-based Kerberos authentication, I will happy > to read them. > > Thanks. > > Regards, > Dominique > > > > > > > 2018-04-06 2:56 GMT+02:00 Benoy Antony <[email protected]>: >> >> Hi Dominique, >> >> It should work. This is because the authentication mechanism (password or >> certificate) is between the client and KDC (kerberos server). Hadoop never >> knows about the password or certificate. The Hadoop servers receive a >> service ticket from the client. Client obtains service ticket from KDC. >> Thus the authentication mechanism ((password or certificate) is between the >> client and KDC. >> >> Though I have not used a certificate for authentication, I had used a 2FA >> based kerberos authentication. Instead of password , it was Pin and a token. >> The process was like this >> >> >kinit username >> >> Enter pin and token >> >> > hadoop fs -ls >> >> >> >> >> >> On Mon, Mar 26, 2018 at 6:36 AM, Dominique De Vito <[email protected]> >> wrote: >>> >>> Hi, >>> >>> Well, Hadoop with authentication works with login/password-pattern >>> Kerberos . >>> >>> However, Kerberos could work with certicate-based authentication too. >>> >>> Is Hadoop supporting Kerberos authentication with certificate? >>> To be more precise (or straight to the point, if you want): is Hadoop >>> working when using certificate-based Kerberos authentication ? >>> >>> Is there any Hadoop cluster out there running with certificate-based >>> Kerberos authentication? >>> >>> Thanks. >>> >>> Regards, >>> Dominique >>> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
