Which of these security issues could be a reason we would not want to implement kerberos?
Clusters that use Kerberos for authentication have several possible sources of potential issues, including: These are just some examples, but they can prevent users and services from authenticating and can interfere with
the cluster's ability to run and process workloads. The first step whenever an issue emerges is to try to isolate the source of the actual issue, by answering basic questions such as these: If all users and multiple services are
affected—and if the cluster has not worked at all after integrating with Kerberos for authentication—step through all settings for the Kerberos configuration files, as outlined in the section below, "Auditing the Kerberos Configuration". Cloudera recommends verifying the Kerberos configuration whenever issues arise, especially after initially completing the integration
process. Kerberos Command-Line Tools User Authentication with and Without KeytabThe
Another
method of authentication is using keytabs with the
Enabling Debugging for Authentication Issues Using Cloudera Manager for DebuggingTo obtain additional information in the logs and facilitate troubleshooting, administrators can set debug levels for any of the services running on Cloudera Manager Server. Typically, the settings are added using the Advanced Configuration Snippet (Safety Valve) settings for the specific service, the names are specific to the service. as for HDFS as detailed below:
The output will be seen in the process logs:
After restarting Cloudera Manager Service, the most recent instance of the Enabling Debugging for the Authentication ProcessSet the following properties on the cluster to obtain debugging information from the Kerberos authentication process.
You can then use the following command to copy the console output to the user (with debugging messages), along with all output from
Kerberos Credential-Generation IssuesCloudera Manager creates accounts needed by CDH services using an internal command (Generate Credentials) that is triggered automatically by the Kerberos configuration wizard or when changes are made to the cluster that require new Kerberos principals. After configuring the cluster for Kerberos authentication or making changes that require generation of new principals, you can verify that the command ran successfully by using the Cloudera Manager Admin Console, as follows:
Active Directory Credential-Generation ErrorsError: Possible cause: The Domain Controller specified is incorrect or LDAPS has not been enabled for it. Steps to resolve: Verify the configuration for Active Directory Active Directory KDC, as follows:
Verify all settings. Also check that LDAPS is enabled for Active Directory. Error: Possible cause: The Active Directory account you are using for Cloudera Manager does not have permissions to create other accounts. Steps to resolve: Use the Delegate Control wizard to grant permission to the Cloudera Manager account to create other accounts. You can also login to Active Directory as the Cloudera Manager user to check that it can create other accounts in your Organizational Unit. MIT Kerberos Credential-Generation ErrorsError: Possible cause: The hostname for the KDC server is incorrect. Steps to
resolve: Check the Hadoop commands fail after enabling Kerberos securityUsers need to obtain valid Kerberos tickets to interact with a secure cluster, that is, a cluster that has been configured to use Kerberos for authentication. Running any Hadoop command (such as
Steps to resolve: Examine the Kerberos tickets currently in your credentials cache by running the Using the UserGroupInformation class to authenticate OozieSecured CDH services mainly use Kerberos to authenticate RPC communication. RPCs are one of the primary means of communication between nodes in a Hadoop cluster. For example, RPCs are used by the YARN NodeManager to communicate with the ResourceManager, or by the HDFS client to communicate with the NameNode. CDH services handle Kerberos authentication by calling the UserGroupInformation (UGI) login method, However, some applications may include other service clients that do not involve the generic Hadoop RPC framework, such as Hive or Oozie clients. Such applications must explicitly call the This is an example of an infinitely polling Oozie client application:
Certain Java versions cannot read credentials cacheSymptom: For MIT Kerberos 1.8.1 (or higher), the following error will occur when you attempt to interact with the Hadoop cluster,
even after successfully obtaining a Kerberos ticket using
Possible cause: At release 1.8.1 of MIT Kerberos, a change ("#6206: new API for storing extra per-principal data in ccache") was made to the credentials cache format that conflicts with Oracle JDK 6 Update 26 (and earlier JDKs) (for details, see "JDK-6979329 : CCacheInputStream fails to read ticket cache files from Kerberos 1.8.1") rendering Java incapable of reading Kerberos credentials cache created by versions of MIT Kerberos 1.8.1 (or higher). Kerberos 1.8.1 is the default in Ubuntu Lucid and higher releases and Debian Squeeze and higher releases. On RHEL and CentOS, an older version of MIT Kerberos which does not have this issue, is the default. Workaround: Use the -R (renew) option with For example:
Non-renewable tickets display this error message when the command
Resolving Cloudera Manager Service keytab IssuesEvery service managed by Cloudera Manager has a keytab file that is provided at startup by the Cloudera Manager Agent. The most recent keytab files can be examined by navigating to the
path, As you can see in the example below, Cloudera Manager service directory names have the form:
If you have root access to the After locating a keytab file,
examine its contents ("Examining Kerberos credentials with klist ") using the
Now, attempt to authenticate using the keytab file and a principal within it. In this case, we use the
Note that
Kerberos credentials have an expiry date and time. This means, to make sure Kerberos credentials are valid uniformly over a cluster, all hosts and clients within the cluster should be using NTP and must never drift more than 5 minutes apart from each other. Kerberos session tickets have a limited lifespan, but can be renewed (as indicated in the sample Reviewing Service Ticket Credentials in Cross-Realm DeploymentsWhen you examine your cluster configuration, make sure you haven't violated any of following the integration rules:
Kerberos typically negotiates and uses the strongest form of encryption possible between a client and server for authentication into
the realm. However, the encryption types for TGTs may sometimes end up being negotiated downward towards the weaker encryption types, which is not desirable. To investigate such issues, check the
Sample Kerberos Configuration Files This section contains several example Kerberos configuration files. /etc/krb5.confThe
Sample Kerberos Configuration Files /var/kerberos/krb5kdc/kdc.confThe
kadm5.acl
Why do we need Kerberos authentication?Kerberos is designed to completely avoid storing any passwords locally or having to send any passwords through the internet and provides mutual authentication, meaning both the user and the server's authenticity are verified.
How does Kerberos solve the authentication issue?Kerberos uses symmetric key cryptography and requires trusted third-party authorization to verify user identities. Since Kerberos requires 3 entities to authenticate and has an excellent track record of making computing safer, the name really does fit.
How is Kerberos used today and why it is important?In many of today's enterprise networks, Kerberos is relied upon to provide a common authentication and authorization solution that allows end users and systems administrators the benefit of single sign-on to everything from database servers to email services to printers to network appliances.
What is the primary reason we would implement clipping levels?Clipping levels are used to differentiate between malicious attacks and normal users accidentally mistyping their passwords. Clipping levels define a minimum reporting threshold level.
|