@startuml
autonumber
hide footbox

title Linux Single Kerberos Realm with LDAP Groups
box "Gateway Node"
  actor "User\n(user)" as User
  participant Client as "Hadoop\nClient\n(cli)" #lightgreen
  participant UTC as "User's\nTicket\nCache"
end box
box "Hadoop Cluster"
  participant Hadoop as "Hadoop\nServices\n(eg hdfs)" #lightgreen
  participant SKT as "Service's\nKeytab"
  participant KDC as "MIT\nKDC"
end box
box "Corporate Network"
  participant LDAP as "LDAP"
end box

note over LDAP
  Contains group info
end note

note over KDC
  Contains user &
  service accounts
end note

Hadoop->KDC: kinit(hdfs):hdfs-tgt
  note right: TGT stored in memory
  activate Hadoop
  Hadoop->SKT: load():password
    note right: Password loaded from Keytab
  deactivate Hadoop

User->KDC: kinit(guest):user-tgt
  activate User
  User->User: prompt():password
  User->UTC: store(user-tgt)
  deactivate User

User->Client: hadoop fs ls
  activate Client
  Client->UTC: load():user-tgt
  Client->KDC: tgsReq(user-tgt):user-hdfs-st
  Client->Hadoop: ls[user-hdfs-st](dir):files
    activate Hadoop
    Hadoop->Hadoop: verify(user-hdfs-st)
    Hadoop->LDAP: groupLookup(user):groups
    deactivate Hadoop
  deactivate Client

@enduml