This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Child pages
  • Linux Single Kerberos Realm with LDAP Groups

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3
PlantUML Macro
hide footbox

title Linux Single Kerberos Realm with LDAP Groups
box "Gateway Node"
  actor "User\n(user)" as User
  participant Client as "Hadoop\nClient\n(cli)" #lightgreen
  participant UTC as "User's\nTicket\nCache"
end box
box "Hadoop Cluster"
  participant Hadoop as "Hadoop\nServices\n(eg hdfs)" #lightgreen
  participant SKT as "Service's\nKeytab"
  participant KDC as "MIT\nKDC"
end box
box "Corporate Network"
  participant LDAP as "LDAP"
end box

note over LDAP
  Contains group info
end note

note over KDC
  Contains user &
  service accounts
end note

Hadoop->KDC: kinit(hdfs):hdfs-tgt
  note right: TGT stored in memory
  activate Hadoop
  Hadoop->SKT: load():password
    note right: Password loaded from Keytab
  deactivate Hadoop

User->KDC: kinit(guest):user-tgt
  activate User
  User->User: prompt():password
  User->UTC: store(user-tgt)
  deactivate User

User->Client: hadoop fs ls
  activate Client
  Client->UTC: load():user-tgt
  Client->KDC: tgsReq(user-tgt):user-hdfs-st
  Client->Hadoop: ls[user-hdfs-st](dir):files
    activate Hadoop
    Hadoop->Hadoop: verify(user-hdfs-st)
    Hadoop->LDAP: groupLookup(user):groups
    deactivate Hadoop
  deactivate Client