Search

How does Kerberos work?: Ticket Granting Tickets







 



1. Authentication

·      The Namenode checks the details of the request and if the client is avalid user, accordingly issues/doesn't issue the TicketT



C->N:request_ticket,TS,

hash<request_ticket,TS,KCN>

N->C:T

·      Message exchange between client C and Datanode D to establish shared key amongst them.

C->D:{(KCD,TS,nonce)KRC}KUD,T

D->C:nonce',hash(nonce',KCD)

·      The client sends the ticket T along with a shared key KCD that it wants to establish with the Datanode D, the client also sends anonce so that the Datanode can verify the freshness of the message.

·      To complete the ticket establishment step, the Datanode has to respond to a nonce challenge.

·      T=<IDU,KUC,IV,TS,TE>KRM

·      KCD=hash<IV,KUD,random_data>

·      T contains the userId, publickey, initialization vector and the ticket’s lifetime.

·      Shared key is computed by hashing the IV with the Datanode’s publickey and some arbitrarily random data.

2. Capabilities

·      To read data from the HDFS the client has to obtain block locations and capabilities from Namenode before it goes to Datanodes.

C->N:read(path),TS,

hash<read(path),TS,KUCN>

N->C:block_locations,

hash<block_locations>



·      The capabilities are embedded into block location information and signed by the Namenode. The Datanode verifies the capabilities and accordingly allows to read or doesn’t.

C->D:read(block),T

·      Description of capability information embedded into the block location information.The sign(With Namenode's privatekey) Of the capability and block  id is also embedded

C=ID,permissions,path

Sign=<c,block_id>KRN

Revocation of capabilities

·      Capabilities can potentially bere-used by clients to read the data from HDFS at any time after when they were issued. How ever the file permissions change over period  of time.

·      Revocation of capabilities needs to be done,in order to prevent replay attacks.

·      Capabilities issued by Namenode will have an expiry period (say1hr) and this can be configured in hadoop-site.xml



·      The client has to get a renewal ticket issued by the Namenode and has to present It to the Datanode for every request after expiry of the capabilities. If the Renewal ticket is not presented, the Datanode will deny the request.

·      Revocation of capabilities is done actively by Namenode.This Is done by sending the message to the Datanodes to deny the particular capabilities.

Difficulties faced

  • Integrating Kerberos protocol with the HDFS Framework is quite a task! 
  • Need a more efficient design onGranting and Revoking capabilities
Posted by at
Labels:
  • What are the main components of Mapreduce Job ?
      Main driver class which provides job configuration parameters. Mapper class which must extend org.apache.hadoop.mapredu...
  • TO_CHAR
       This will be used to extract various date formats.     The available date formats as follows.     Syntax: to_char ( date , fo...