Database Reference
In-Depth Information
1. Authentication. The client authenticates itself to the Authentication Server and re-
ceives a timestamped Ticket-Granting Ticket (TGT).
2. Authorization. The client uses the TGT to request a service ticket from the Ticket-
Granting Server.
3. Service request. The client uses the service ticket to authenticate itself to the serv-
er that is providing the service the client is using. In the case of Hadoop, this
might be the namenode or the resource manager.
Together, the Authentication Server and the Ticket Granting Server form the
Key Distri-
bution Center
(KDC). The process is shown graphically in
Figure 10-2
.
Figure 10-2. The three-step Kerberos ticket exchange protocol
The authorization and service request steps are not user-level actions; the client performs
these steps on the user's behalf. The authentication step, however, is normally carried out
explicitly by the user using the
kinit
command, which will prompt for a password.
However, this doesn't mean you need to enter your password every time you run a job or
