WARNING: Work In Progress
The sequence diagram below is intended to be a very detailed description of the interactions that occur during the process of defining, submitting and executing a map reduce job on a secure Hadoop cluster. Ideally this will complement and clarify the Hadoop security design white paper.
The descriptions of the interactions below take this form.
[Protocol] message( input ) : output
The [Protocol] portion describes the protocol, authentication mechanism and identities exchanged.
Abbreviation |
Description |
|---|---|
|
Kerberos Protocol |
|
RPC protocol with SASL mutual authentication using Kerberos tickets. |
|
RPC protocol with SASL mutual authentication using delegation tokens. |
|
Data transfer protocol between the DataNode and a client. HTTP protocol with block tokens plus SHA1 hash exchange. |
Suffixes are used in many cases to denote type.
Abbreviation |
Description |
|---|---|
tgt |
Kerberos Ticket Granting Ticket |
kp |
Kerberos Principal: nn-kp = The Kerberos principal for the NameNode nn |
kt |
Kerberos Ticket: u-jt-kt = A Kerberos Ticket for User u to access the JobTracker jt |
Kerberos principals use the principal abbreviation and the kp suffix.
Abbreviation |
Description |
|---|---|
|
NameNode's Kerberos Principal |
|
DataNode's Kerberos Principal (Unique principal for each DataNode on every node) |
|
JobTracker's Kerberos Principal |
|
TaskTracker's Kerberos Principal (Unique principal for each TaskTracker on every node) |
Kerberos tickets use the consumer principal abbreviation, provider principal abbreviation and kt suffix.
Abbreviation |
Description |
|---|---|
|
Kerberos service ticket for User u to access NameNode nn |
|
Kerberos service ticket for User u to access JobTracker jt |
|
Kerberos service ticket for DataNode dn to access NameNode nn |
|
Kerberos service ticket for JobTracker dn to access NameNode nn |
|
Kerberos service ticket for TaskTracker tt to access JobTracker jt |
