More Related Content Similar to Practical Kerberos (20) Practical Kerberos2. 2 © Hortonworks Inc. 2011 – 2017. All Rights Reserved2 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Engineer at Hortonworks, Member of the Apache Software Foundation
Top-Level Projects
• Apache Accumulo®
• Apache CalciteTM
• Apache CommonsTM
• Apache HBase®
• Apache PhoenixTM
ASF Incubator
• Apache FluoTM
• Apache GossipTM
• Apache RyaTM
• Apache SliderTM
These names are trademarks or registered trademarks
of the Apache Software Foundation.
3. 3 © Hortonworks Inc. 2011 – 2017. All Rights Reserved3 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
… but today we’re talking about Kerberos!
- “The Madness beyond the Gate” [1]
- An exploration in black magic and voodoo
- The word most accompanied with expletives
1: https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/kerberos_the_madness.html
5. 5 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Introduction to Kerberos
⬢ “Kerberos is a network authentication protocol. It is designed to provide strong
authentication for client/server applications by using secret-key cryptography” [1]
⬢ MIT Kerberos is one implementation
– Heimdal is another
– We’re talking about MIT Kerberos
⬢ Authentication over a computer network
– Not authorization
– No data privacy
1: http://web.mit.edu/kerberos/
6. 6 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Introduction to Kerberos
⬢ Key Distribution Center (KDC)
– Centralized server which grants Kerberos “tickets”
– The “trusted third party” of the security model
⬢ Users are defined by a ”principal”
– primary[/instance]@REALM
– A human: elserj@HORTONWORKS.COM
– A service: accumulo/tserver1.hortonworks.com@HORTONWORKS.COM
– elserj@HORTONWORKS.COM is unique with elserj/login.accumulo.hwx.com@HORTONWORKS.COM
8. 8 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Interacting with Kerberos
⬢ kadmin (or kadmin.local)
– Command-line interface for administrators to create, modify, delete principals.
⬢ kinit
– A command-line tool to obtain a ticket for a principal
– Places the ticket in a file on disk in a well-known location called a “ticket cache”
• Default location on Linux: /tmp/krb5cc_$(id –u `whoami`)
– The ticket cache is read-write protected for the user only (e.g. chmod 600)
– Can obtain a ticket for any principal using a password or keytab
– Ticket caches can hold multiple tickets
⬢ klist
– Lists the contents of the current user’s ticket cache
– Can list the keys in a keytab file
9. 9 © Hortonworks Inc. 2011 – 2017. All Rights Reserved
Benefits of Kerberos
⬢ Building a secure, network-based authentication system is very hard
⬢ Functions on non-trusted networks
– Security for multi-tenant systems, protect against malicious and non-malicious users
⬢ Leveraged across the Apache Hadoop “Stack”
⬢ Widely integrated externally
– Operating systems and programming languages
⬢Can integrate with Active Directory
Apache Hadoop is a registered trademark of the Apache Software Foundation
11. 1
1
© Hortonworks Inc. 2011 – 2017. All Rights Reserved
Reality
[elserj@localhost] $ kinit elserj
Password for elserj@HORTONWORKS.COM:
[elserj@localhost] $ accumulo com.hortonworks.accumulo.MyMapReduceJob
...
2016-10-16 14:03:11,549 [security.UserGroupInformation] ERROR:
PrivilegedActionException as:accumulo/server.com (auth:KERBEROS)
cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Failed to
find any Kerberos tgt)]
[elserj@localhost] $
(╯°□°)╯︵ ┻━┻
20. 2
0
© Hortonworks Inc. 2011 – 2017. All Rights Reserved
Harping on DNS
⬢ DNS must be correct, consistent, and secure
⬢ Hostnames are advertised for discovery
– Also benefits multi-homed networks
⬢ Forward and Reverse DNS mappings must be accurate on every node
– `nslookup tabletserver1.accumulo.hwx.com` returns 10.0.0.1
– `nslookup 10.0.0.1` returns tabletserver1.accumulo.hwx.com
⬢Check /etc/resolv.conf for quick troubleshooting
27. 2
7
© Hortonworks Inc. 2011 – 2017. All Rights Reserved
Kerberos authentication for HTTP-based services (SPNEGO)
⬢ Not yet implemented in Accumulo Monitor
⬢ The need to protect services using HTTP
–Don’t want to reuse SASL
⬢ Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) RFC-4178
– The Negotiate HTTP header
– Built into cURL (--negotiate), most Java-based HTTP libraries, and web-browsers
⬢ Web-browsers often need special configuration to properly authenticate.
– Firefox: network.negotiate-auth.delegation-uris, network.negotiate-auth.trusted-uris
– Chrome: --auth-server-whitelist="*.domain" --auth-negotiate-delegate-whitelist="*.domain"
28. 2
8
© Hortonworks Inc. 2011 – 2017. All Rights Reserved
Troubleshooting: Prerequisites
⬢ Ensure a recent version of your JVM and Hadoop
– Bugs exist in UserGroupInformation for certain JVMs (vendor+version)
⬢ Ensure that the unlimited strength Java Cryptographic Extensions (JCE) are installed on
all nodes in the cluster
– And that clients/servers are using that JVM installation!
– Required for AES-256 encryption type on Kerberos keys (which you will likely get by default)
⬢ Ensure that you have DEBUG or TRACE logging enabled
– Server package: org.apache.accumulo.server.rpc
– Clients package: org.apache.accumulo.core.client.impl
⬢ Set the sun.security.krb5.debug system property to true in your application
29. 2
9
© Hortonworks Inc. 2011 – 2017. All Rights Reserved
Troubleshooting: Tips
⬢ Remember that DNS is the cornerstone
– When reading logs, make sure that you see the expected fully-qualified domain names
– Do not assume that DNS is correct: verify it.
⬢ Determine if an RPC issue is authentication or authorization
– If you see an Accumulo-level error, it is likely an authorization issue
– If you only see transport/connection-setup errors, it is likely an authentication issue
⬢ Remember that tickets expire
– Cross-reference ticket lifetimes with application logs
⬢ Read the logs.
⬢ No. Actually read them.
– A vast majority of errors can be solved with appropriate logging JVM-debugging
30. 3
0
© Hortonworks Inc. 2011 – 2017. All Rights Reserved
Reference Material
⬢ “Hadoop and Kerberos: The Madness beyond the Gate”
– https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/index.html
⬢ Oracle documentation
– http://docs.oracle.com/javase/7/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html
– https://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5
LoginModule.html
⬢ MIT Kerberos documentation
– http://web.mit.edu/kerberos/
⬢ “Explain like I’m 5: Kerberos” (great low-level Kerberos write-up)
– http://www.roguelynn.com/words/explain-like-im-5-kerberos/
⬢KDiag: “Kerberos diagnostics for Hadoop”
–Apache Hadoop >=2.8 or https://github.com/steveloughran/kdiag
31. 3
1
© Hortonworks Inc. 2011 – 2017. All Rights Reserved
Developing with Kerberos
⬢ Apache Directory’s Kerby project
– Great for Kerberos authentication without Hadoop in the picture
– http://directory.apache.org/kerby/downloads.html
⬢ Apache Hadoop’s MiniKDC
– Built on top of Apache Directory
– https://github.com/apache/hadoop/blob/release-2.7.3-RC2/hadoop-common-project/hadoop-
minikdc/src/main/java/org/apache/hadoop/minikdc/MiniKdc.java
⬢ Can be used with HDFS, YARN, and Accumulo MiniClusters!
Kerberos is not an excuse to skip testing!
Apache Directory is a trademark of the Apache Software Foundation