Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Hortonworks Inc. 2015 Hadoop and Kerberos: The madness beyond the gate Steve 2015.

Published byConrad Rose Modified over 8 years ago

Similar presentations

Presentation on theme: "© Hortonworks Inc. 2015 Hadoop and Kerberos: The madness beyond the gate Steve 2015."— Presentation transcript:

1 © Hortonworks Inc. 2015 Hadoop and Kerberos: The madness beyond the gate Steve Loughran stevel@hortonworks.com @steveloughran 2015

2 Page 2 Me: Before Kerberos

3 © Hortonworks Inc. Page 3 Me: After Kerberos

4 © Hortonworks Inc. Page 4

5 © Hortonworks Inc. 2015 Leave now if you want to retain your life of naïve innocence Page 5

6 © Hortonworks Inc. Page 6

7 © Hortonworks Inc. 2015 export HADOOP_USER="root" Page 7

8 © Hortonworks Inc. 2015 Modern Hadoop clusters are locked down through Kerberos Page 8

9 © Hortonworks Inc. 2015 Discover Kerberos before Kerberos discovers you Page 9

10 © Hortonworks Inc. 2015 Kerberos: the gateway to hell Page 10

11 © Hortonworks Inc. This is not a metaphor Art: Andrés Álvarez Iglesias

12 © Hortonworks Inc. 2015 KPKP Kerberos is the gateway Page 12 Authentication Service Ticket Granting Service Principal user@REALM user/hostname@REALM (P, TGS, n 1 ) {K P.TGS, n 1 } KP, {ticket(P,TGS)} KTGS Ticket(P, TGS) = (TGS, P, t start, t end, K PT) KPKP {K P.S, n 2 } KP, {ticket(P,S)} KS {auth(P)} KP.TGS,{ticket(P,TGS)} KTGS, S,n 2 K TGS Kerberos Domain Controller Client auth(P) KP.TGS = {P, time)} KP.TGS

13 © Hortonworks Inc Every service is a principal alice@REALM bob@REALM oozie/ooziehost@REALM namenode/nn1@REALM hdfs/_HOST@REALM hdfs/r04s12@REALM hdfs/r04s13@REALM yarn/_HOST@REALM yarn/r04s12@REALM HTTP/_HOST@REALM Page 13 short names: alice bob oozie namenode hdfs yarn HTTP

14 © Hortonworks Inc. Page 14 Entering the darkness

15

16 © Hortonworks Inc. Page 16

17 © Hortonworks Inc. 2015 HDFS Bootstrap: Kerberos Login Page 17 shared keytab in /etc/hadoop log in to kerberos datanode/_HOST@REALM tickets for TGS namenode/nn@REALM

18 © Hortonworks Inc. 2015 HDFS Bootstrap: DNs register with NN Page 18 shared keytab in /etc/hadoop DN registration Ticket for namenode/nn@REALM ExportedBlockKeys Request ticket for namenode/nn@REALM namenode/nn@REALM datanode/_HOST@REALM

19 © Hortonworks Inc. Hadoop Tokens Issued and tracked by individual services (HDFS, WebHDFS, Timeline Server, YARN RM, …) Grant some form of access: Block tokens, Delegation Tokens Can be passed on to other processes Renewable via service APIs (RPC, HTTP) Revocable in server via service APIs Page 19 read: O'Malley 2009, Hadoop Security Architecture

20 © Hortonworks Inc. 2015 HDFS IO: Block Tokens Page 20 alice@REALM Obtain ticket for namenode/nn@REALM BlockToken BlockToken: userId, (BlockPoolId, BlockId), keyId, expiryDate, access-modes namenode/nn@REALM open("file")

21 © Hortonworks Inc. 2015 service/host@REALM Delegation Tokens delegate access Page 21 alice@REALM BlockToken HDFS Delegation Token BlockToken HDFS Delegation Token namenode/nn@REALM Token Obtain ticket for namenode/nn@REALM Request delegation token

22 © Hortonworks Inc. 2015 Launch Context YARN app launch Page 22 alice@REALM HDFS Delegation Token HDFS resourcemanager/rm@REALM nodemanager/_HOST@REALMalice Launch Context AM/RM HDFSAM/RM HDFS AM/RM namenode/nn@REALM Obtain ticket for resourcemanager/rm@REALM Request delegation token AM/RM Token Obtain tickvet for namenode/nn@REALM AM/RM' Refresh AM/RM

23 © Hortonworks Inc That which must not be named: UGI if(!UserGroupInformation.isSecurityEnabled()) { stayInALifeOfNaiveInnocence(); } else { sufferTheEnternalPainOfKerberos(); } UserGroupInformation.checkTGTAndReloginFromKeytab(); UserGroupInformation.getLoginUser() // principal logged in as UserGroupInformation.getCurrentUser() // principal acting as Page 23

24 © Hortonworks Inc UGI.doAs() UserGroupInformation bob = UserGroupInformation.createProxyUser("bob", UserGroupInformation.getLoginUser()); FileSystem userFS = bob.doAs( new PrivilegedExceptionAction () { public FileSystem run() throws Exception { return FileSystem.get(FileSystem.getDefaultUri(), conf); } }); Page 24

25 © Hortonworks Inc Hadoop RPC @KerberosInfo(serverPrincipal = "my.kerberos.principal") public interface MyRpc extends VersionedProtocol { … } public class MyRpcPolicyProvider extends PolicyProvider { public Service[] getServices() { return new Service[] { new Service("my.protocol.acl", MyRpc.class) }; } public class MyRpcSecurityInfo extends SecurityInfo { … } META-INF/services/org.apache.hadoop.security.SecurityInfo org.example.rpc.MyRpcSecurityInfo Page 25

26 © Hortonworks Inc IPC Server: get the current user identity Messages.KillResponse killContainer(Messages.KillRequest request) { UserGroupInformation callerUGI; try { callerUGI = UserGroupInformation.getCurrentUser(); } catch (IOException ie) { LOG.info("Error getting UGI ", ie); AuditLogger.logFailure("UNKNOWN", "Error getting UGI"); throw RPCUtil.getRemoteException(ie); } … Page 26

27 © Hortonworks Inc IPC Server: Authorize String user = callerUGI.getShortUserName(); if (!checkAccess(callerUGI, MODIFY)) { AuditLog.unauthorized(user, KILL_CONTAINER_REQUEST, "User doesn't have permissions to " + MODIFY); throw RPCUtil.getRemoteException( new AccessControlException( + user + " lacks access " + MODIFY_APP.name())); } AuditLog.authorized(user, KILL_CONTAINER_REQUEST) Page 27

28 © Hortonworks Inc. 2015 SASL: RFC4422 Page 28

29 © Hortonworks Inc. REST: SPNEGO (+ Delegation tokens) Page 29 Jersey + java.net httpclient? “if lucky it'll work” HADOOP-11825: Move timeline client Jersey+Kerberos+UGI support into a public implementation

30 © Hortonworks Inc. Testing Page 30

31 © Hortonworks Inc. Error messages to fear Art: Andrés Álvarez Iglesias Failure unspecified at GSS-API level (Checksum failed) No valid credentials provided (Failed to find any Kerberos tgt) Server not found in Kerberos database Clock skew too great Principal not found No valid credentials provided (Illegal key size)

32 © Hortonworks Inc. Topics Avoided Not Covered Zookeeper JAAS Trying to use HTTPS in a YARN application Trying to use Full REST in a YARN application System properties to debug Kerberos & SPNEGO Group management HADOOP_PROXY_USER Page 32

33 © Hortonworks Inc. gitbook.com/@steveloughran Questions? Art: Andrés Álvarez Iglesias

34 © Hortonworks Inc. Zookeeper SASL to negotiate security: System.setProperty("zookeeper.sasl.client", "true"); Permissions are not transitive down the tree Page 34 List perms = new ArrayList<>(); if (UserGroupInformation.isSecurityEnabled()) { perms(new ACL(ZooDefs.Perms.ALL, ZooDefs.Ids.AUTH_IDS)); perms.add(new ACL(ZooDefs.Perms.READ,ZooDefs.Ids.ANYONE_ID_UNSAFE)); } else { perms.add(new ACL(ZooDefs.Perms.ALL, ZooDefs.Ids.ANYONE_ID_UNSAFE)); } zk.createPath(path, null, perms, CreateMode.PERSISTENT);

35 © Hortonworks Inc System Properties for debugging -Dsun.security.krb5.debug=true -Dsun.security.spnego.debug=true export HADOOP_JAAS_DEBUG=true Page 35

36 © Hortonworks Inc. Services RPC authentication via annotations & metadata in JAR YARN Web UIs: rely on RM proxy for authentication Authentication != Authorization Add audit logs on service endpoints YARN services: come up with a token refresh strategy: keytab everywhere; keytab in AM; update from client Page 36

37 © Hortonworks Inc. JAAS Java Authentication and Authorization Service Core Kerberos classes and types ( Principal ) Text files to configure –Different for different JVMs –Need to double escape \ for windows paths UGI handles setting up a JAAS context & logging in Page 37

38 © Hortonworks Inc. Glossary Simple Authentication and Security Layer (SASL) GSSAPI Generic Security Service Application Program Interface (RFC-2743+ others) JAAS: Java Authentication and Authorization Service Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) Page 38

Download ppt "© Hortonworks Inc. 2015 Hadoop and Kerberos: The madness beyond the gate Steve 2015."

Similar presentations

Suchin Rengan Principal Technical Architect Salesforce.com

Suchin Rengan Principal Technical Architect Salesforce.com
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.

KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
JAAS AuthN Tokens in uPortal and Beyond or The JAAS Singer.

JAAS AuthN Tokens in uPortal and Beyond or The JAAS Singer.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Understanding WebLogic Security

Understanding WebLogic Security
Windows 2000 Kerberos Interoperability Paul Hill Co-Leader, Kerberos Development Team MIT John Brezak Program Manager Windows 2000 Security Microsoft.

Windows 2000 Kerberos Interoperability Paul Hill Co-Leader, Kerberos Development Team MIT John Brezak Program Manager Windows 2000 Security Microsoft.
1 Lecture 12: Kerberos terms and configuration phases –logging to network –accessing remote server replicated KDC multiple realms message privacy and integrity.

1 Lecture 12: Kerberos terms and configuration phases –logging to network –accessing remote server replicated KDC multiple realms message privacy and integrity.
Securing web applications using Java EE Dr Jim Briggs 1.

Securing web applications using Java EE Dr Jim Briggs 1.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Remote Method Invocation Chin-Chih Chang. Java Remote Object Invocation In Java, the object is serialized before being passed as a parameter to an RMI.

Remote Method Invocation Chin-Chih Chang. Java Remote Object Invocation In Java, the object is serialized before being passed as a parameter to an RMI.
KerberSim CMPT 495 Fall 2004 Jerry Frederick. Project Goals Become familiar with Kerberos flow Create a simple Kerberos simulation.

KerberSim CMPT 495 Fall 2004 Jerry Frederick. Project Goals Become familiar with Kerberos flow Create a simple Kerberos simulation.
Hortonworks. We do Hadoop.

Hortonworks. We do Hadoop.
MongoDB Sharding and its Threats

MongoDB Sharding and its Threats
Fraser Technical Solutions, LLC

Fraser Technical Solutions, LLC
Developing and Deploying Apache Hadoop Security Owen O’Malley - Hortonworks Co-founder and © Hortonworks Inc.

Developing and Deploying Apache Hadoop Security Owen O’Malley - Hortonworks Co-founder and © Hortonworks Inc.

Similar presentations

Ads by Google