© Hortonworks Inc. 2015 Hadoop and Kerberos: The madness beyond the gate Steve 2015.

Slides:



Advertisements
Similar presentations
Suchin Rengan Principal Technical Architect Salesforce.com
Advertisements

MyProxy Jim Basney Senior Research Scientist NCSA
AUTHENTICATION AND KEY DISTRIBUTION
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
JAAS AuthN Tokens in uPortal and Beyond or The JAAS Singer.
MyProxy: A Multi-Purpose Grid Authentication Service
Understanding WebLogic Security
Windows 2000 Kerberos Interoperability Paul Hill Co-Leader, Kerberos Development Team MIT John Brezak Program Manager Windows 2000 Security Microsoft.
1 Lecture 12: Kerberos terms and configuration phases –logging to network –accessing remote server replicated KDC multiple realms message privacy and integrity.
Securing web applications using Java EE Dr Jim Briggs 1.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Remote Method Invocation Chin-Chih Chang. Java Remote Object Invocation In Java, the object is serialized before being passed as a parameter to an RMI.
KerberSim CMPT 495 Fall 2004 Jerry Frederick. Project Goals Become familiar with Kerberos flow Create a simple Kerberos simulation.
Hortonworks. We do Hadoop.
MongoDB Sharding and its Threats
Fraser Technical Solutions, LLC
Developing and Deploying Apache Hadoop Security Owen O’Malley - Hortonworks Co-founder and © Hortonworks Inc.
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
Take An Internal Look at Hadoop Hairong Kuang Grid Team, Yahoo! Inc
Making Apache Hadoop Secure Devaraj Das Yahoo’s Hadoop Team.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.
Google Cloud Messaging for Android (GCM) is a free service that helps developers send data from servers to their Android.
Enticy GROUP THE A Framework for Web and WinForms (Client-Server) Applications “Enterprise Software Architecture”
State of the Elephant Hadoop yesterday, today, and tomorrow Page 1 Owen
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.
Windows NT ® Single Sign On Cross Platform Applications (Part II) John Brezak Program Manager Windows NT Security Microsoft Corporation.
CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Getting Started with OPC.NET OPC.NET Software Client Interface Client Base Server Base OPC Wrapper OPC COM Server Server Interface WCF Alternate.
2/26/021 Pegasus Security Architecture Author: Nag Boranna Hewlett-Packard Company.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Copyright  2002 Urbancode Software Development, Inc. All Rights Reserved. Developing with JAAS Presented by Maciej Zawadzki
Kerberos By Robert Smithers. History of Kerberos Kerberos was created at MIT, and was named after the 3 headed guard dog of Hades in Greek mythology Cerberus.
Kerberos Guilin Wang School of Computer Science 03 Dec
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
GUDURU PRAVEEN REDDY.NET IMPERSONATION. Contents Introduction Impersonation Enabled Impersonation Disabled Impersonation Class Libraries Impersonation.
1 Kerberos – Private Key System Ahmad Ibrahim. History Cerberus, the hound of Hades, (Kerberos in Greek) Developed at MIT in the mid 1980s Available as.
Jaas Introduction. Outline l General overview of Java security Java 2 security model How is security maintained by Java and JVM? How can a programmer.
The Design and Implementation of a tutorial to illustrate the Kerberos protocol Presenter : Lindy Carter Supervisors : Peter Wentworth John Ebden.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.
ASP.NET Web API – Sigurnosna pitanja i odgovori Ivan Marković Cloud Solutions Program Manager/Technology Evangelist SPAN.
February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.
Securing Angular Apps Brian Noyes
Doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 1 An Overview of the GSS-API and Kerberos Bob Beach, Symbol Technologies.
15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
Secure Mobile Development with NetIQ Access Manager
Azure Active Directory is becoming one of, if not the, primary user identity management services for cloud applications. One of Azure Active Directory's.
Redmond Protocols Plugfest 2016 Ron Starr, Paul Bartos, Hagit Galatzer, Stephen Guty New and Modified Windows Protocol Documents.
Non Web-based Identity Federations - Moonshot Daniel Kouril, Michal Prochazka, Marcel Poul ISGC 2015.
Alain Bethuyne Web Security Architect BNPParibas Fortis
Jun Rao co-founder at Confluent, Inc
Ask the Experts – Building Login-Based Sites in AEM
Flink Security Enhancements
How to Solve BigData Security Puzzle?
Computer Security Distributed System Security
Agenda OAuth Concepts Programming OAuth.
Office 365 Development.
JAAS AuthN Tokens in uPortal and Beyond
Designing IIS Security (IIS – Internet Information Service)
We Need To Talk Security
Presentation transcript:

© Hortonworks Inc Hadoop and Kerberos: The madness beyond the gate Steve 2015

Page 2 Me: Before Kerberos

© Hortonworks Inc. Page 3 Me: After Kerberos

© Hortonworks Inc. Page 4

© Hortonworks Inc Leave now if you want to retain your life of naïve innocence Page 5

© Hortonworks Inc. Page 6

© Hortonworks Inc export HADOOP_USER="root" Page 7

© Hortonworks Inc Modern Hadoop clusters are locked down through Kerberos Page 8

© Hortonworks Inc Discover Kerberos before Kerberos discovers you Page 9

© Hortonworks Inc Kerberos: the gateway to hell Page 10

© Hortonworks Inc. This is not a metaphor Art: Andrés Álvarez Iglesias

© Hortonworks Inc KPKP Kerberos is the gateway Page 12 Authentication Service Ticket Granting Service Principal (P, TGS, n 1 ) {K P.TGS, n 1 } KP, {ticket(P,TGS)} KTGS Ticket(P, TGS) = (TGS, P, t start, t end, K PT) KPKP {K P.S, n 2 } KP, {ticket(P,S)} KS {auth(P)} KP.TGS,{ticket(P,TGS)} KTGS, S,n 2 K TGS Kerberos Domain Controller Client auth(P) KP.TGS = {P, time)} KP.TGS

© Hortonworks Inc Every service is a principal Page 13 short names: alice bob oozie namenode hdfs yarn HTTP

© Hortonworks Inc. Page 14 Entering the darkness

© Hortonworks Inc. Page 16

© Hortonworks Inc HDFS Bootstrap: Kerberos Login Page 17 shared keytab in /etc/hadoop log in to kerberos tickets for TGS

© Hortonworks Inc HDFS Bootstrap: DNs register with NN Page 18 shared keytab in /etc/hadoop DN registration Ticket for ExportedBlockKeys Request ticket for

© Hortonworks Inc. Hadoop Tokens Issued and tracked by individual services (HDFS, WebHDFS, Timeline Server, YARN RM, …) Grant some form of access: Block tokens, Delegation Tokens Can be passed on to other processes Renewable via service APIs (RPC, HTTP) Revocable in server via service APIs Page 19 read: O'Malley 2009, Hadoop Security Architecture

© Hortonworks Inc HDFS IO: Block Tokens Page 20 Obtain ticket for BlockToken BlockToken: userId, (BlockPoolId, BlockId), keyId, expiryDate, access-modes open("file")

© Hortonworks Inc Delegation Tokens delegate access Page 21 BlockToken HDFS Delegation Token BlockToken HDFS Delegation Token Token Obtain ticket for Request delegation token

© Hortonworks Inc Launch Context YARN app launch Page 22 HDFS Delegation Token HDFS Launch Context AM/RM HDFSAM/RM HDFS AM/RM Obtain ticket for Request delegation token AM/RM Token Obtain tickvet for AM/RM' Refresh AM/RM

© Hortonworks Inc That which must not be named: UGI if(!UserGroupInformation.isSecurityEnabled()) { stayInALifeOfNaiveInnocence(); } else { sufferTheEnternalPainOfKerberos(); } UserGroupInformation.checkTGTAndReloginFromKeytab(); UserGroupInformation.getLoginUser() // principal logged in as UserGroupInformation.getCurrentUser() // principal acting as Page 23

© Hortonworks Inc UGI.doAs() UserGroupInformation bob = UserGroupInformation.createProxyUser("bob", UserGroupInformation.getLoginUser()); FileSystem userFS = bob.doAs( new PrivilegedExceptionAction () { public FileSystem run() throws Exception { return FileSystem.get(FileSystem.getDefaultUri(), conf); } }); Page 24

© Hortonworks Inc Hadoop = "my.kerberos.principal") public interface MyRpc extends VersionedProtocol { … } public class MyRpcPolicyProvider extends PolicyProvider { public Service[] getServices() { return new Service[] { new Service("my.protocol.acl", MyRpc.class) }; } public class MyRpcSecurityInfo extends SecurityInfo { … } META-INF/services/org.apache.hadoop.security.SecurityInfo org.example.rpc.MyRpcSecurityInfo Page 25

© Hortonworks Inc IPC Server: get the current user identity Messages.KillResponse killContainer(Messages.KillRequest request) { UserGroupInformation callerUGI; try { callerUGI = UserGroupInformation.getCurrentUser(); } catch (IOException ie) { LOG.info("Error getting UGI ", ie); AuditLogger.logFailure("UNKNOWN", "Error getting UGI"); throw RPCUtil.getRemoteException(ie); } … Page 26

© Hortonworks Inc IPC Server: Authorize String user = callerUGI.getShortUserName(); if (!checkAccess(callerUGI, MODIFY)) { AuditLog.unauthorized(user, KILL_CONTAINER_REQUEST, "User doesn't have permissions to " + MODIFY); throw RPCUtil.getRemoteException( new AccessControlException( + user + " lacks access " + MODIFY_APP.name())); } AuditLog.authorized(user, KILL_CONTAINER_REQUEST) Page 27

© Hortonworks Inc SASL: RFC4422 Page 28

© Hortonworks Inc. REST: SPNEGO (+ Delegation tokens) Page 29 Jersey + java.net httpclient? “if lucky it'll work” HADOOP-11825: Move timeline client Jersey+Kerberos+UGI support into a public implementation

© Hortonworks Inc. Testing Page 30

© Hortonworks Inc. Error messages to fear Art: Andrés Álvarez Iglesias Failure unspecified at GSS-API level (Checksum failed) No valid credentials provided (Failed to find any Kerberos tgt) Server not found in Kerberos database Clock skew too great Principal not found No valid credentials provided (Illegal key size)

© Hortonworks Inc. Topics Avoided Not Covered Zookeeper JAAS Trying to use HTTPS in a YARN application Trying to use Full REST in a YARN application System properties to debug Kerberos & SPNEGO Group management HADOOP_PROXY_USER Page 32

© Hortonworks Inc. Questions? Art: Andrés Álvarez Iglesias

© Hortonworks Inc. Zookeeper SASL to negotiate security: System.setProperty("zookeeper.sasl.client", "true"); Permissions are not transitive down the tree Page 34 List perms = new ArrayList<>(); if (UserGroupInformation.isSecurityEnabled()) { perms(new ACL(ZooDefs.Perms.ALL, ZooDefs.Ids.AUTH_IDS)); perms.add(new ACL(ZooDefs.Perms.READ,ZooDefs.Ids.ANYONE_ID_UNSAFE)); } else { perms.add(new ACL(ZooDefs.Perms.ALL, ZooDefs.Ids.ANYONE_ID_UNSAFE)); } zk.createPath(path, null, perms, CreateMode.PERSISTENT);

© Hortonworks Inc System Properties for debugging -Dsun.security.krb5.debug=true -Dsun.security.spnego.debug=true export HADOOP_JAAS_DEBUG=true Page 35

© Hortonworks Inc. Services RPC authentication via annotations & metadata in JAR YARN Web UIs: rely on RM proxy for authentication Authentication != Authorization Add audit logs on service endpoints YARN services: come up with a token refresh strategy: keytab everywhere; keytab in AM; update from client Page 36

© Hortonworks Inc. JAAS Java Authentication and Authorization Service Core Kerberos classes and types ( Principal ) Text files to configure –Different for different JVMs –Need to double escape \ for windows paths UGI handles setting up a JAAS context & logging in Page 37

© Hortonworks Inc. Glossary Simple Authentication and Security Layer (SASL) GSSAPI Generic Security Service Application Program Interface (RFC others) JAAS: Java Authentication and Authorization Service Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) Page 38