Aneela, HDFS supports the use of the \L lowercase "macro". This is implemented through the HDFS auth_to_local rules, it can be applied using the additional rules if within the CDH. The relationship for kebreros from hadoop (for a major portion of the platform) traverses the java JGSS implementation + hadoop security core classes. (Might be the better thread to shift to if you need deeper discussion?)
This is described in the apache hadoop upstream Jira HADOOP-10556 But I agree discussion the approach on getting agreement on the structure of username, uppercase/lowercase and group name in general is something to be having. On Mon, Jul 18, 2016 at 9:41 AM, Brandon Allbery <[email protected]> wrote: > While I can’t give you details, it sounds like you want to change the web > application to use SPNEGO to do Kerberos authentication with a user; this > gives you a credential that you can then use to authenticate to Hadoop. > > From: Aneela Saleem <[email protected]> > Date: Monday, July 18, 2016 at 11:13 > To: Brandon Allbery <[email protected]> > Cc: "[email protected]" <[email protected]> > Subject: Re: Login usecase > > Thanks Brandon for your response. > > Actually, My use-case is that I have a web application that authenticates > a user. Then user calls my backend services written in java to interact > with hadoop cluster. My hadoop cluster is kerberos-enabled. I need to > authenticate this user using my java code. I am able to login using keytab > files, but i did not get someway to login using password. For logging in > using keytab files, we need to place keytab files for all the system users > on all the hosts from where we can access our hadoop cluster. So this is > the main drawback. And as you say logging using keytab files is not > appropriate then how can we achieve this objective? > > Thanks > > On Mon, Jul 18, 2016 at 7:45 PM, Brandon Allbery <[email protected] > <mailto:[email protected]>> wrote: > You are going to have to describe what you are trying to do in more > detail. Keytabs are not normally used for this purpose, except in the case > of automated procedures (e.g. cron) that need to log in to a service as if > they are a user. Perhaps you have confused keytabs (“passwords” on disk) > with ccaches (ephemeral service credentials, which may or may not be on > disk and typically expire in a relatively short time)? > > On 7/17/16, 16:04, "[email protected]<mailto: > [email protected]> on behalf of Aneela Saleem" < > [email protected]<mailto:[email protected]> on behalf of > [email protected]<mailto:[email protected]>> wrote: > > Hi all, > > If a user logs into any kerberized Application, using Krb5LoginModule, > there is a function loginFromKeyTab. Client should have the key tab > file to > login to application. But I think this is very insecure way of login. > Anyone who cloud access your key tab file then login to application. Is > there any appropriate way to login to system. I don't understand How > to do > this. I'm stuck > > Thanks > ________________________________________________ > Kerberos mailing list [email protected]<mailto: > [email protected]> > https://mailman.mit.edu/mailman/listinfo/kerberos > > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Todd Grayson Business Operations Manager Customer Operations Engineering Security SME ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
