Database Reference
In-Depth Information
The model is fairly simple. Clients register with the Kerberos key distribution center (KDC)
and share their password. When a client wants access to a resource like a file server, it sends
a request to the KDC with some portion encryped with this password. The KDC attempts to
decrypt this material. If successful, it sends back a ticket generating ticket (TGT) to the cli-
ent, which has material encrypted with its special passcode. When the client receives the
TGT, it sends a request back to the KDC with a request for access to the file server. The
KDC sends back a ticket with bits encrypted with the file server's passcode. From then on,
the client and the file server use this ticket to authenticate.
The notion is that the file server, which might be very busy with many client requests, is not
bogged down with the mechanics of keeping many user passcodes. It just shares its passcode
with the KDC and uses the ticket the client has received from the KDC to authenticate.
Kerberos is thought to be tedious to set up and maintain. To this end, there is some active
work in the Hadoop community to present a simpler and more effective authentication mech-
anism.
Tutorial Links
This
lecture
provides a fairly concise and easy-to-follow description of the technology.
Example Code
An effective Kerberos installation can be a daunting task and is well beyond the scope of this
book. Many operating system vendors provide a guide for configuring Kerberos. For more
information, refer to the guide for your particular OS.
Knox
License
Apache License, Version 2.0
Activity
Medium
