Kerberos
Kerberos, created by MIT in the 1980s as Project Athena, is a single sign-on authentication protocol that provides secure and trusted communication over an insecure network.
It is designed to authenticate users and systems by using secret-key cryptography, ensuring that only authorized entities can access resources and services. The fundamental procedures for authentication in a Kerberos environment involves a client, a server, and a Key Distribution Center (KDC). The KDC, trusted by both customers and services, manages authentication. Its role can be separated into two services:
- AS (Authentication Service): Issues ticket-granting ticket (TGT) for accessing the TGS.
- TGS (Ticket Granting Service): Provides access tickets for different services.
The protocol involves the following steps:
- A secret key is generated from the authentication password (login on the machine), which is used to decrypt messages received.
- When the users ask the permission to access some service, the authentication service Key Distribution Center (KDC) verifies the credential and generates (if credentials are validates) a TGT.
- The TGT is sends back to the user with a session key (both are encrypted). The users sends the current TGT to the TGS with the Service Principal Name (SPN) of the resource the client wants to access
- If the user has access rights, the TGS generates a service ticket and sends it to the user. The user then sends their own authentication message along with the service ticket to the service to initiate the connection. Both the user and the server authenticate each other, and once completed, the user gains access to the resource.
Kerberos continues to be widely employed, delivering various merits including its maturity, robustness, established presence, and alignment with the demands of modern distributed systems.
- Learn more
- Official website
Related articles
Spark on Hadoop integration with Jupyter
Categories: Adaltas Summit 2021, Infrastructure, Tech Radar | Tags: Infrastructure, Jupyter, Spark, YARN, CDP, HDP, Notebook, TDP
For several years, Jupyter notebook has established itself as the notebook solution in the Python universe. Historically, Jupyter is the tool of choice for data scientists who mainly develop in Pythonā¦
Sep 1, 2022
Hadoop Ozone part 2: tutorial and getting started of its features
Categories: Infrastructure | Tags: CLI, Learning and tutorial, HDFS, Ozone, Amazon S3, Cluster, REST
The releases of Hadoop Ozone come with a handy docker-compose file to try out Ozone. The below instructions provide details on how to use it. You can also use the Katacoda training sandbox whichā¦
Dec 3, 2019
Kerberos and Spnego authentication on Windows with Firefox
Categories: Cyber Security | Tags: Firefox, HTTP, FreeIPA, Kerberos
In Greek mythology, Kerberos, also called Cerberus, guards the gates of the Underworld to prevent the dead from leaving. He is commonly described as a three-headed dog, a serpentās tail, mane ofā¦
By David WORMS
Nov 4, 2019
Multihoming on Hadoop
Categories: Infrastructure | Tags: Hadoop, HDFS, Kerberos, Network
Multihoming, which means having multiple networks attached to one node, is one of the main components to manage the heterogeneous network usage of an Apache Hadoop cluster. This article is anā¦
Mar 5, 2019
Apache Knox made easy!
Categories: Big Data, Cyber Security, Adaltas Summit 2018 | Tags: LDAP, Active Directory, Knox, Ranger, Kerberos, REST
Apache Knox is the secure entry point of a Hadoop cluster, but can it also be the entry point for my REST applications? Apache Knox overview Apache Knox is an application gateway for interacting in aā¦
Feb 4, 2019
Native modules for Node.js with N-API
Categories: Adaltas Summit 2018, Front End | Tags: C++, NPM, JavaScript, Kerberos, Node.js
How to create native modules for Node.js? How to use N-API, the future of native addons development? Writing C/C++ addon is a useful and powerful feature of the Node.js runtime. Letās explore themā¦
Dec 12, 2018
Hadoop cluster takeover with Apache Ambari
Categories: Big Data, DevOps & SRE, Adaltas Summit 2018 | Tags: Ambari, Automation, iptables, Nikita, Systemd, Cluster, HDP, Kerberos, Node, Node.js, REST
We recently migrated a large production Hadoop cluster from a āmanualā automated install to Apache Ambari, we called this the Ambari Takeover. This is a risky process and we will detail why thisā¦
Nov 15, 2018
Managing User Identities on Big Data Clusters
Categories: Cyber Security, Data Governance | Tags: LDAP, Active Directory, Ansible, FreeIPA, IAM, Kerberos
Securing a Big Data Cluster involves integrating or deploying specific services to store users. Some users are cluster-specific when others are available across all clusters. It is not always easy toā¦
By David WORMS
Nov 8, 2018
Deploying a secured Flink cluster on Kubernetes
Categories: Big Data | Tags: Encryption, Flink, HDFS, Kafka, Elasticsearch, Kerberos, SSL/TLS
When deploying secured Flink applications inside Kubernetes, you are faced with two choices. Assuming your Kubernetes is secure, you may rely on the underlying platform or rely on Flink nativeā¦
By David WORMS
Oct 8, 2018
Kerberos and delegation tokens security with WebHDFS
Categories: Cyber Security | Tags: HTTP, HDFS, Big Data, Kerberos
WebHDFS is an HTTP Rest server bundle with the latest version of Hadoop. What interests me on this article is to dig into security with the Kerberos and delegation tokens functionalities. I will coverā¦
By David WORMS
Jul 25, 2013
