I want to learn for Hadoop security using kerberos. I have configured kerberos from this blog but don't know to work on that.

• I want to know how it actually works?
• How to use it for hadoop on windows.
• How to configure it for windows.

Give me any tutorial link or concept to understand it.

Here you find some help links;

• I want to know how it actually works?
  • Very good introduction that is also very short - http://www.youtube.com/watch?v=kp5d8Yv3-0c
  • Conversation explaining Kerberos , how it is built - http://web.mit.edu/kerberos/www/dialogue.html
• How to use it for hadoop on windows.
  • http://doc.mapr.com/display/MapR/Configuring+Kerberos+Authentication+for+Windows
  • https://fermi.service-now.com/kb_view.do?sysparm_article=KB0011316
• How to configure it for windows.
  • I think there is no clear blog for successful configuration in windows. Yet this installer will give a kick start - http://web.mit.edu/kerberos/kfw-4.0/kfw-4.0.html#announcement

Will edit my answer further , If I could find more details.

I will try to answer to question "How kerberos works?".

Client Authentication with Authentication server (AS)

1. Client send his client id to AS (Authentication server).
2. AS will look into the database whether the client exist or not. If it found the client id, it will generate two messages and will be sent back to client. In this step Client vs session key will be created.

Message A : {Client to AS session key} encrypted using secret key of the client(taken from database)

Message B : {Client Id, Client to AS session key, some other in formations} encrypted using AS secret key

Now client can decrypt Message A and can get Client vs AS session key using his secret key if he is the one who he claims to be. Now client has the session key and he can make service requests to the AS.

Client service authorization

1. Client prepare two messages and will send it to AS to get Client to Service server(SS) Session key

Message C : {Message B, Id of the service}

Message D : {Client ID, Time stamp} encrypted using Client to AS session key

2. AS will decrypt Message B which is extracted from Message C and will obtain Client to AS session key and Client ID. Using the session key it will decrypt Message D and compare both Client IDs. If it is same, Client is authenticated and will check Access control table for authorization for the specific service requested by client. If he is authorized to that service, It will prepare two messages and will send it to client.

Message E : {Client ID, Client to SS session key, some other} encrypted by specific SS secret key

Message F : {Client to SS session key} encrypted using Client to AS Session key

Now client can decrypt Message F using Client to SS Session key and he will obtain Client to SS session key.

Client Service Request

Client will connect to the Service server(SS) and do the following steps to receive the service

1. Client will prepare and send 2 messages to SS.

Message G : {Message E}

Message H : {Client ID, time stamp} encrypted using Client to SS session key

2. Service server can now decrypt Message G using its secret key (remember that AS encrypted Message E using the requested SS secret key) and can obtain Client ID and Client to SS session key. SS will decrypt Message H using obtained session key and will obtain Client ID from Message H. Both client id from Message H and Message G will be compared and SS can authenticate the request if it is a match.

Authentication also depend in the time stamp, client address and some other information based on the implementation. It is a very basic approach for kerberos protocol. For more information visit Wikipedia

I have tried to explain the how part of the Kerberos protocol in my blog at: Kerberos. Please feel free to check it out. A summary of the same is as follows:

Kerberos is s a trusted third-party authentication protocol designed for TCP/IP networks which is based on symmetric cryptography.

Kerberos provides encrypted transport and authentication using security tokens and secure session keys, in order to secure the communication between the client and the server.

The kerberos model basically consists of a kerberos server which authenticates the client and provides security tokens in order to interact with a ticket granting service or the TGS. The TGS then is responsible for authenticating this client for access to the actual server.

I have tried to describe it in a pictorial and step by step way in my blog.