SlideShare a Scribd company logo

Kerberos, Token and Hadoop

Download as PPTX, PDF
K
Kai Zheng

It introduces and illustrates use cases, benefits and problems for Kerberos deployment on Hadoop; how Token support and TokenPreauth can help solve the problems. It also briefly introduces Haox project, a Java client library for Kerberos.

1 of 40
Downloaded 200 times
Kerberos, Token and Hadoop MIT Kerberos Day Intel Big Data Technologies kai.zheng@intel.com 1
Outline 1. Kerberos and Hadoop 2. Token and Hadoop 3. Token and Kerberos 4. Kerberos, Token and Hadoop 5. Future work 2
Apache Hadoop 3
4 When Hadoop adding security  Initially no authentication at all  Kerberos or SSL/TLS?  Adding security should not impact performance much  Kerberos is used to authenticate users, GSSAPI/SASL is used between C/S, encryption on wire could be optional
 End users to services, using password  Services to services, using service credentials/keytabs  Services to services, delegating users, using service credentials  MR tasks to services, delegating users, using delegation token Kerberos authentication 5
6 Client authentication
7 Deploying Kerberos Provisioning service credentials/keytabs
8 Deploying Kerberos (cont'd)
Strengths  Symmetric encryption, mutual authentication  Flexible SASL QoP, authentication (privacy) by default  Command line (kinit, SSO) + Browser (SPNEGO)  Mature, available in Linux/Windows + J2SE 9
Challenges  Hadoop ecosystem is large and still fast evolving, other authentication solutions are desired  Hadoop cluster can be large, the traffic can be huge  Services are dynamically provisioned and relocated on demand  Applications are to run in containerized environment, and can be dynamically scheduled and relocated to other nodes automatically  Different deployment environments and scenarios, with different requirements 10
 Lagged Kerberos feature support in Java (PKINIT, S2U only added recently, etc.)  Lacking fine-grained authorization support  Lacking strong delegation support in Kerberos/Java stack  Inconvenient and limited browser access via SPNEGO, for work around to bypass Kerberos exposing internal delegation token  Encryption not set in SASL via (QoP) by default, and might involve performance impact (benchmark and optimization?)  AES 256 isn’t supported by Java by default  Just get it work, allow_weak_crypto is used;  kinit –R issue Problems 11
Outline 1. Kerberos and Hadoop 2. Token and Hadoop 3. Token and Kerberos 4. Kerberos, Token and Hadoop 5. Future work 12
Hadoop tokens Existing Hadoop tokens for internal authentication: delegation token, job token, block access token … 13
TokenAuth effort Proposed token for primary/initial authentication 14
Requirements  Allow to integrate 3rd party authentication solutions  Help enforce fine-grained authorization  Supporting OAuth 2.0 token and work flow is desired for cloud deployment 15
Challenges  Involve great change over the ecosystem  May break existing applications built on the platform  Over complex, involving both Identity Token and Access Token with related services, the work flow is quite complex. (Reinvent Kerberos?)  Big impact for performance or security concerns We either use TLS/SSL to protect token or don’t care about it at all. The former involves performance impact, the latter suffers security consideration. 16
Outline 1. Kerberos and Hadoop 2. Token and Hadoop 3. Token and Kerberos 4. Kerberos, Token and Hadoop 5. Future work 17
TokenPreauth mechanism Allows user to authenticate to KDC using 3rd party tokens instead of password 18
TokenPreauth mechanism (cont’d)  Defines required token attribute values based on JWT token, reusing existing attributes  Support Bearer Token and allows to support Holder-of-Key Token in future  Support Identity Token (or ID Token) and allows to support Access Token in future 19
TokenPreauth mechanism (cont’d)  Client principal may exist or not during token validating and ticket issuing  kinit –X token=[Your-Token], by default ref. ~/.kerbtoken  How token being generated may be out of scope, left for token authority  Identity Token -> Ticket Granting Ticket, Access Token -> Service Ticket  Ticket lifetime derived from token SHOULD be in the time frame of the token  Ticket derived from token may be not renewable 20
Access Token profile  Based on TokenPreauth, allow Access Token to be used to request Service Ticket directly in AS exchange  Should be useful to support OAuth 2.0 Web flow in Kerberized Resource Server with backend service 21
Why it matters  Token and OAuth are widely used in Internet, cloud and mobile, more and more popular  It allows Kerberized systems to be supported in token’s world  Also allows Kerberized systems to integrate other authentication solutions thru token and Token Authority, without modification of existing codes.  May help Kerberos evolve in both cloud and big data platform  Make extra sense for Hadoop, supporting token across the ecosystem without performance impact 22
How it is going  We’re collaborating with MIT to standardize  Initial drafts, under MIT team’s review  Should be submitted to KITTEN WG soon  PoC done targeting for Hadoop 23
Outline 1. Kerberos and Hadoop 2. Token and Hadoop 3. Token and Kerberos 4. Kerberos, Token and Hadoop 5. Future work 24
Kerberos + Token for Hadoop  Let’s combine all of these together
PoC: TokenPreauth plugin 26
PoC: Token authentication JAAS module 27
PoC: Browser and Web support 28
 Implement the mechanism and have it included in next MIT Kerberos release, collaborating with MIT team  Or at least, provide the plugin binary download and source codes repository for public usage and review  Make a complete token solution based on Kerberos for Hadoop Next step 29
 The Repo: https://github.com/drankye/haox  Working on a first class Java Kerberos client library  Catch up with latest Kerberos features and fill gaps lagged by Java – PKINIT – TokenPreauth Haox project 30
Haox-asn1  A data driven ASN-1 encoding/decoding framework  A simple example, AuthorizationData type from RFC4210 31
Haox-asn1 (cont’d)  A data driven ASN-1 encoding/decoding framework  A simple example, AuthorizationData type from RFC4210 32
Haox-asn1 (cont’d)  A data driven ASN-1 encoding/decoding framework  A more complex example, from X.690-0207 33
Haox kerb-crypto  Implementing des, des3, rc4, aes, camellia encryption and corresponding checksum types  Interoperates with MIT Kerberos  Independent with Kerberos codes in JRE, but rely on JCE 34
 ASN-1 (done)  Core spec types (done)  Crypto (done)  AS client (going)  Preauth framework (going)  PKINIT (going) Haox Status 35
Future work  Combining all of these effort together, make a complete token solution for Hadoop  Additionally, we’d also like to make Kerberos deployment be more easily and readily even for large Hadoop clusters It’s Intel’s mission that makes Hadoop more enterprise-grade security ready  We’re also interested in evolving Kerberos for cloud platform, particularly, how Kerberized services and applications can be dynamically scheduled to nodes and bootstrap  Will investigate how Intel’s technology like TEE/TXT can help thru all of these 36
Trusted Execution Technology (TXT)  Establishing root of trust through measurement of hardware and pre-launch software components, and utilizing the result, 1.Run your workload and data on a trusted 2.Protect your workload and data 3.Avoid compromising security in the cloud 4.Sealed and secured storage 37
Kerberos with TXT  With the secured storage provided by TXT, 1.Protect credential cache to store TGTs for Kerberos 2.Protect token cache for Hadoop 3.Protect encryption keys for data 4.Protect key store for management
Kerberos with TXT (cont’d)  With secured token cache and trusted execution by TXT, TokenPreauth can be deployed with host keytab/cert
Thanks! You feedback are very welcome Please contact kai.zheng@intel.com for update. 40
Ad

Recommended

Hadoop security
Hadoop securityHadoop security
Hadoop security
shrey mehrotra
 
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Big Data Spain
 
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
Cloudera, Inc.
 
An Introduction to Kerberos
An Introduction to KerberosAn Introduction to Kerberos
An Introduction to Kerberos
Shumon Huque
 
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 editionHadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
Steve Loughran
 
TriHUG 2/14: Apache Sentry
TriHUG 2/14: Apache SentryTriHUG 2/14: Apache Sentry
TriHUG 2/14: Apache Sentry
trihug
 
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheConTechnical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Technical tips for secure Apache Hadoop cluster #ApacheConAsia #ApacheCon
Yahoo!デベロッパーネットワーク
 
Kerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetKerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .Net
J.D. Wade
 
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
LDAPCon
 
Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPA
LDAPCon
 
Kerberos and its application in cross realm operations
Kerberos and its application in cross realm operationsKerberos and its application in cross realm operations
Kerberos and its application in cross realm operations
Arunangshu Bhakta
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons Learned
Priti Desai
 
Securing Hadoop by Sr. Principal Technologist Keys Botzum
Securing Hadoop by Sr. Principal Technologist Keys BotzumSecuring Hadoop by Sr. Principal Technologist Keys Botzum
Securing Hadoop by Sr. Principal Technologist Keys Botzum
MapR Technologies
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
Lorenzo Carnevale
 
Map r hadoop-security-mar2014 (2)
Map r hadoop-security-mar2014 (2)Map r hadoop-security-mar2014 (2)
Map r hadoop-security-mar2014 (2)
MapR Technologies
 
OpenStack Keystone
OpenStack KeystoneOpenStack Keystone
OpenStack Keystone
Deepti Ramakrishna
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
J.D. Wade
 
Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Stephen Gordon
 
IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive
Smita Raut
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
Lorenzo Carnevale
 
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
J.D. Wade
 
A Backend to tie them all?
A Backend to tie them all?A Backend to tie them all?
A Backend to tie them all?
LDAPCon
 
Kerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS ChicagoKerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS Chicago
J.D. Wade
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
Rommel Garcia
 
Keystone deep dive 1
Keystone deep dive 1Keystone deep dive 1
Keystone deep dive 1
Jsonr4
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStack
Steve Martinelli
 
Security_of_openstack_keystone
Security_of_openstack_keystoneSecurity_of_openstack_keystone
Security_of_openstack_keystone
UT, San Antonio
 
77201924
7720192477201924
77201924
IJRAT
 
77201924
7720192477201924
77201924
IJRAT
 
Ad

More Related Content

What's hot (20)

Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
LDAPCon
 
Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPA
LDAPCon
 
Kerberos and its application in cross realm operations
Kerberos and its application in cross realm operationsKerberos and its application in cross realm operations
Kerberos and its application in cross realm operations
Arunangshu Bhakta
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons Learned
Priti Desai
 
Securing Hadoop by Sr. Principal Technologist Keys Botzum
Securing Hadoop by Sr. Principal Technologist Keys BotzumSecuring Hadoop by Sr. Principal Technologist Keys Botzum
Securing Hadoop by Sr. Principal Technologist Keys Botzum
MapR Technologies
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
Lorenzo Carnevale
 
Map r hadoop-security-mar2014 (2)
Map r hadoop-security-mar2014 (2)Map r hadoop-security-mar2014 (2)
Map r hadoop-security-mar2014 (2)
MapR Technologies
 
OpenStack Keystone
OpenStack KeystoneOpenStack Keystone
OpenStack Keystone
Deepti Ramakrishna
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
J.D. Wade
 
Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Stephen Gordon
 
IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive
Smita Raut
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
Lorenzo Carnevale
 
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
J.D. Wade
 
A Backend to tie them all?
A Backend to tie them all?A Backend to tie them all?
A Backend to tie them all?
LDAPCon
 
Kerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS ChicagoKerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS Chicago
J.D. Wade
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
Rommel Garcia
 
Keystone deep dive 1
Keystone deep dive 1Keystone deep dive 1
Keystone deep dive 1
Jsonr4
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStack
Steve Martinelli
 
Security_of_openstack_keystone
Security_of_openstack_keystoneSecurity_of_openstack_keystone
Security_of_openstack_keystone
UT, San Antonio
 
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
Bridging the gap: Adding missing client (security) features using OpenLDAP pr...
LDAPCon
 
Building Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPABuilding Open Source Identity Management with FreeIPA
Building Open Source Identity Management with FreeIPA
LDAPCon
 
Kerberos and its application in cross realm operations
Kerberos and its application in cross realm operationsKerberos and its application in cross realm operations
Kerberos and its application in cross realm operations
Arunangshu Bhakta
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons Learned
Priti Desai
 
Securing Hadoop by Sr. Principal Technologist Keys Botzum
Securing Hadoop by Sr. Principal Technologist Keys BotzumSecuring Hadoop by Sr. Principal Technologist Keys Botzum
Securing Hadoop by Sr. Principal Technologist Keys Botzum
MapR Technologies
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
Lorenzo Carnevale
 
Map r hadoop-security-mar2014 (2)
Map r hadoop-security-mar2014 (2)Map r hadoop-security-mar2014 (2)
Map r hadoop-security-mar2014 (2)
MapR Technologies
 
OpenStack Keystone
OpenStack KeystoneOpenStack Keystone
OpenStack Keystone
Deepti Ramakrishna
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
J.D. Wade
 
Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Deep Dive: OpenStack Summit (Red Hat Summit 2014)
Stephen Gordon
 
IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive
Smita Raut
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
Lorenzo Carnevale
 
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
J.D. Wade
 
A Backend to tie them all?
A Backend to tie them all?A Backend to tie them all?
A Backend to tie them all?
LDAPCon
 
Kerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS ChicagoKerberos Survival Guide SPS Chicago
Kerberos Survival Guide SPS Chicago
J.D. Wade
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
Rommel Garcia
 
Keystone deep dive 1
Keystone deep dive 1Keystone deep dive 1
Keystone deep dive 1
Jsonr4
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStack
Steve Martinelli
 
Security_of_openstack_keystone
Security_of_openstack_keystoneSecurity_of_openstack_keystone
Security_of_openstack_keystone
UT, San Antonio
 

Similar to Kerberos, Token and Hadoop (20)

77201924
7720192477201924
77201924
IJRAT
 
77201924
7720192477201924
77201924
IJRAT
 
Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!
All Things Open
 
IRJET- Proof of Document using Multichain and Ethereum
IRJET- Proof of Document using Multichain and EthereumIRJET- Proof of Document using Multichain and Ethereum
IRJET- Proof of Document using Multichain and Ethereum
IRJET Journal
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Richard Bullington-McGuire
 
Hyperledger Besu for Private & Public Enterprise introduction slides
Hyperledger Besu for Private & Public Enterprise introduction slidesHyperledger Besu for Private & Public Enterprise introduction slides
Hyperledger Besu for Private & Public Enterprise introduction slides
ssuser36a70f
 
Application portability with kubernetes
Application portability with kubernetesApplication portability with kubernetes
Application portability with kubernetes
Oleg Chunikhin
 
Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014
Miguel Zuniga
 
The New Stack Container Summit Talk
The New Stack Container Summit TalkThe New Stack Container Summit Talk
The New Stack Container Summit Talk
The New Stack
 
Blockchain Based Decentralized Cloud System
Blockchain Based Decentralized Cloud SystemBlockchain Based Decentralized Cloud System
Blockchain Based Decentralized Cloud System
Dhruvdoshi25071999
 
[English]Medium Inc Company Profile
[English]Medium Inc Company Profile[English]Medium Inc Company Profile
[English]Medium Inc Company Profile
JaeKwon9
 
Accumulo Summit 2015: Ambari and Accumulo: HDP 2.3 Upcoming Features [Sponsored]
Accumulo Summit 2015: Ambari and Accumulo: HDP 2.3 Upcoming Features [Sponsored]Accumulo Summit 2015: Ambari and Accumulo: HDP 2.3 Upcoming Features [Sponsored]
Accumulo Summit 2015: Ambari and Accumulo: HDP 2.3 Upcoming Features [Sponsored]
Accumulo Summit
 
CryptoStandards and protocols for digital secure communications
CryptoStandards and protocols for digital secure communicationsCryptoStandards and protocols for digital secure communications
CryptoStandards and protocols for digital secure communications
bipinbhattarai12
 
System Design SpecificationsThere are various methods of pro.docx
System Design SpecificationsThere are various methods of pro.docxSystem Design SpecificationsThere are various methods of pro.docx
System Design SpecificationsThere are various methods of pro.docx
deanmtaylor1545
 
IRJET - Confidential Image De-Duplication in Cloud Storage
IRJET - Confidential Image De-Duplication in Cloud StorageIRJET - Confidential Image De-Duplication in Cloud Storage
IRJET - Confidential Image De-Duplication in Cloud Storage
IRJET Journal
 
Introduction to Blockchain and Hyperledger
Introduction to Blockchain and HyperledgerIntroduction to Blockchain and Hyperledger
Introduction to Blockchain and Hyperledger
Dev_Events
 
Hadoop and Big Data Security
Hadoop and Big Data SecurityHadoop and Big Data Security
Hadoop and Big Data Security
Chicago Hadoop Users Group
 
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...
QAware GmbH
 
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ... The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
Josef Adersberger
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
Prasad Mukhedkar
 
77201924
7720192477201924
77201924
IJRAT
 
77201924
7720192477201924
77201924
IJRAT
 
Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!
All Things Open
 
IRJET- Proof of Document using Multichain and Ethereum
IRJET- Proof of Document using Multichain and EthereumIRJET- Proof of Document using Multichain and Ethereum
IRJET- Proof of Document using Multichain and Ethereum
IRJET Journal
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Richard Bullington-McGuire
 
Hyperledger Besu for Private & Public Enterprise introduction slides
Hyperledger Besu for Private & Public Enterprise introduction slidesHyperledger Besu for Private & Public Enterprise introduction slides
Hyperledger Besu for Private & Public Enterprise introduction slides
ssuser36a70f
 
Application portability with kubernetes
Application portability with kubernetesApplication portability with kubernetes
Application portability with kubernetes
Oleg Chunikhin
 
Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014
Miguel Zuniga
 
The New Stack Container Summit Talk
The New Stack Container Summit TalkThe New Stack Container Summit Talk
The New Stack Container Summit Talk
The New Stack
 
Blockchain Based Decentralized Cloud System
Blockchain Based Decentralized Cloud SystemBlockchain Based Decentralized Cloud System
Blockchain Based Decentralized Cloud System
Dhruvdoshi25071999
 
[English]Medium Inc Company Profile
[English]Medium Inc Company Profile[English]Medium Inc Company Profile
[English]Medium Inc Company Profile
JaeKwon9
 
Accumulo Summit 2015: Ambari and Accumulo: HDP 2.3 Upcoming Features [Sponsored]
Accumulo Summit 2015: Ambari and Accumulo: HDP 2.3 Upcoming Features [Sponsored]Accumulo Summit 2015: Ambari and Accumulo: HDP 2.3 Upcoming Features [Sponsored]
Accumulo Summit 2015: Ambari and Accumulo: HDP 2.3 Upcoming Features [Sponsored]
Accumulo Summit
 
CryptoStandards and protocols for digital secure communications
CryptoStandards and protocols for digital secure communicationsCryptoStandards and protocols for digital secure communications
CryptoStandards and protocols for digital secure communications
bipinbhattarai12
 
System Design SpecificationsThere are various methods of pro.docx
System Design SpecificationsThere are various methods of pro.docxSystem Design SpecificationsThere are various methods of pro.docx
System Design SpecificationsThere are various methods of pro.docx
deanmtaylor1545
 
IRJET - Confidential Image De-Duplication in Cloud Storage
IRJET - Confidential Image De-Duplication in Cloud StorageIRJET - Confidential Image De-Duplication in Cloud Storage
IRJET - Confidential Image De-Duplication in Cloud Storage
IRJET Journal
 
Introduction to Blockchain and Hyperledger
Introduction to Blockchain and HyperledgerIntroduction to Blockchain and Hyperledger
Introduction to Blockchain and Hyperledger
Dev_Events
 
Hadoop and Big Data Security
Hadoop and Big Data SecurityHadoop and Big Data Security
Hadoop and Big Data Security
Chicago Hadoop Users Group
 
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...
QAware GmbH
 
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ... The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
The Good, the Bad and the Ugly of Migrating Hundreds of Legacy Applications ...
Josef Adersberger
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
Prasad Mukhedkar
 
Ad

Recently uploaded (20)

Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
Ad

Kerberos, Token and Hadoop

  • 1. Kerberos, Token and Hadoop MIT Kerberos Day Intel Big Data Technologies [email protected] 1
  • 2. Outline 1. Kerberos and Hadoop 2. Token and Hadoop 3. Token and Kerberos 4. Kerberos, Token and Hadoop 5. Future work 2
  • 4. 4 When Hadoop adding security  Initially no authentication at all  Kerberos or SSL/TLS?  Adding security should not impact performance much  Kerberos is used to authenticate users, GSSAPI/SASL is used between C/S, encryption on wire could be optional
  • 5.  End users to services, using password  Services to services, using service credentials/keytabs  Services to services, delegating users, using service credentials  MR tasks to services, delegating users, using delegation token Kerberos authentication 5
  • 7. 7 Deploying Kerberos Provisioning service credentials/keytabs
  • 9. Strengths  Symmetric encryption, mutual authentication  Flexible SASL QoP, authentication (privacy) by default  Command line (kinit, SSO) + Browser (SPNEGO)  Mature, available in Linux/Windows + J2SE 9
  • 10. Challenges  Hadoop ecosystem is large and still fast evolving, other authentication solutions are desired  Hadoop cluster can be large, the traffic can be huge  Services are dynamically provisioned and relocated on demand  Applications are to run in containerized environment, and can be dynamically scheduled and relocated to other nodes automatically  Different deployment environments and scenarios, with different requirements 10
  • 11.  Lagged Kerberos feature support in Java (PKINIT, S2U only added recently, etc.)  Lacking fine-grained authorization support  Lacking strong delegation support in Kerberos/Java stack  Inconvenient and limited browser access via SPNEGO, for work around to bypass Kerberos exposing internal delegation token  Encryption not set in SASL via (QoP) by default, and might involve performance impact (benchmark and optimization?)  AES 256 isn’t supported by Java by default  Just get it work, allow_weak_crypto is used;  kinit –R issue Problems 11
  • 12. Outline 1. Kerberos and Hadoop 2. Token and Hadoop 3. Token and Kerberos 4. Kerberos, Token and Hadoop 5. Future work 12
  • 13. Hadoop tokens Existing Hadoop tokens for internal authentication: delegation token, job token, block access token … 13
  • 14. TokenAuth effort Proposed token for primary/initial authentication 14
  • 15. Requirements  Allow to integrate 3rd party authentication solutions  Help enforce fine-grained authorization  Supporting OAuth 2.0 token and work flow is desired for cloud deployment 15
  • 16. Challenges  Involve great change over the ecosystem  May break existing applications built on the platform  Over complex, involving both Identity Token and Access Token with related services, the work flow is quite complex. (Reinvent Kerberos?)  Big impact for performance or security concerns We either use TLS/SSL to protect token or don’t care about it at all. The former involves performance impact, the latter suffers security consideration. 16
  • 17. Outline 1. Kerberos and Hadoop 2. Token and Hadoop 3. Token and Kerberos 4. Kerberos, Token and Hadoop 5. Future work 17
  • 18. TokenPreauth mechanism Allows user to authenticate to KDC using 3rd party tokens instead of password 18
  • 19. TokenPreauth mechanism (cont’d)  Defines required token attribute values based on JWT token, reusing existing attributes  Support Bearer Token and allows to support Holder-of-Key Token in future  Support Identity Token (or ID Token) and allows to support Access Token in future 19
  • 20. TokenPreauth mechanism (cont’d)  Client principal may exist or not during token validating and ticket issuing  kinit –X token=[Your-Token], by default ref. ~/.kerbtoken  How token being generated may be out of scope, left for token authority  Identity Token -> Ticket Granting Ticket, Access Token -> Service Ticket  Ticket lifetime derived from token SHOULD be in the time frame of the token  Ticket derived from token may be not renewable 20
  • 21. Access Token profile  Based on TokenPreauth, allow Access Token to be used to request Service Ticket directly in AS exchange  Should be useful to support OAuth 2.0 Web flow in Kerberized Resource Server with backend service 21
  • 22. Why it matters  Token and OAuth are widely used in Internet, cloud and mobile, more and more popular  It allows Kerberized systems to be supported in token’s world  Also allows Kerberized systems to integrate other authentication solutions thru token and Token Authority, without modification of existing codes.  May help Kerberos evolve in both cloud and big data platform  Make extra sense for Hadoop, supporting token across the ecosystem without performance impact 22
  • 23. How it is going  We’re collaborating with MIT to standardize  Initial drafts, under MIT team’s review  Should be submitted to KITTEN WG soon  PoC done targeting for Hadoop 23
  • 24. Outline 1. Kerberos and Hadoop 2. Token and Hadoop 3. Token and Kerberos 4. Kerberos, Token and Hadoop 5. Future work 24
  • 25. Kerberos + Token for Hadoop  Let’s combine all of these together
  • 27. PoC: Token authentication JAAS module 27
  • 28. PoC: Browser and Web support 28
  • 29.  Implement the mechanism and have it included in next MIT Kerberos release, collaborating with MIT team  Or at least, provide the plugin binary download and source codes repository for public usage and review  Make a complete token solution based on Kerberos for Hadoop Next step 29
  • 30.  The Repo: https://github.com/drankye/haox  Working on a first class Java Kerberos client library  Catch up with latest Kerberos features and fill gaps lagged by Java – PKINIT – TokenPreauth Haox project 30
  • 31. Haox-asn1  A data driven ASN-1 encoding/decoding framework  A simple example, AuthorizationData type from RFC4210 31
  • 32. Haox-asn1 (cont’d)  A data driven ASN-1 encoding/decoding framework  A simple example, AuthorizationData type from RFC4210 32
  • 33. Haox-asn1 (cont’d)  A data driven ASN-1 encoding/decoding framework  A more complex example, from X.690-0207 33
  • 34. Haox kerb-crypto  Implementing des, des3, rc4, aes, camellia encryption and corresponding checksum types  Interoperates with MIT Kerberos  Independent with Kerberos codes in JRE, but rely on JCE 34
  • 35.  ASN-1 (done)  Core spec types (done)  Crypto (done)  AS client (going)  Preauth framework (going)  PKINIT (going) Haox Status 35
  • 36. Future work  Combining all of these effort together, make a complete token solution for Hadoop  Additionally, we’d also like to make Kerberos deployment be more easily and readily even for large Hadoop clusters It’s Intel’s mission that makes Hadoop more enterprise-grade security ready  We’re also interested in evolving Kerberos for cloud platform, particularly, how Kerberized services and applications can be dynamically scheduled to nodes and bootstrap  Will investigate how Intel’s technology like TEE/TXT can help thru all of these 36
  • 37. Trusted Execution Technology (TXT)  Establishing root of trust through measurement of hardware and pre-launch software components, and utilizing the result, 1.Run your workload and data on a trusted 2.Protect your workload and data 3.Avoid compromising security in the cloud 4.Sealed and secured storage 37
  • 38. Kerberos with TXT  With the secured storage provided by TXT, 1.Protect credential cache to store TGTs for Kerberos 2.Protect token cache for Hadoop 3.Protect encryption keys for data 4.Protect key store for management
  • 39. Kerberos with TXT (cont’d)  With secured token cache and trusted execution by TXT, TokenPreauth can be deployed with host keytab/cert
  • 40. Thanks! You feedback are very welcome Please contact [email protected] for update. 40