Kerberos is a network authentication protocol and it is built on the assumption that network connections are unreliable. Kerberos uses secret-key cryptography to enable strong authentication by providing user-to-server authentication.
ü A realm establishes an authentication administrative domain. Each realm has its own Kerberos database which contains the users and services for that particular administrative domain.
ü Principals are the entries in the Kerberos database. Each user, host or service is given a principal.
ü Tickets are issued by the authentication server. Clients present tickets to the application server to demonstrate the authenticity of their identity. Each ticket has an expiration and a renewal time. The Kerberos server has no control over the issued tickets, so even if we prevent a user from obtaining a ticket, if the user has already a valid ticket, he/she can use this to contact the service (until the ticket expires).
ü Keytabs stores long-term keys for one or more principals.
A Kerberos server, usually called Key Distribution Center (KDC) resides on one physical host, but logically has multiple components incorporated:
ü Database - contains the user and service entries (user's principal, maximum validity, maximum renewal time, password expiration, etc.)
ü Authentication Server (AS) - replies to the authentication requests from the client, when the not yet authenticated user must insert a password. The AS sends a Ticket Granting Ticket (TGT) back which can be used further on by the user, without re-entering their password.
ü Ticket Granting Server(TGS) - distributes service tickets based on the TGT
To access a service using Kerberos a client must do the following:
1. Authenticate to the Kerberos Authentication Server and receive a Ticket Granting Ticket (TGT)
3. Use the service ticket to authenticate to the server that is providing the service the client wants to use (in our case: HDFS, MapReduce, HBase, etc.)
The following picture shows the steps mentioned above.