Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

//GO.SYSIN DD *, DOODAH, DOODAH

devel / comp.protocols.kerberos / Re: Impersonate Kerberos user on HDFS

SubjectAuthor
o Re: Impersonate Kerberos user on HDFSSimo Sorce

1
Re: Impersonate Kerberos user on HDFS

<mailman.84.1712864532.2322.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=536&group=comp.protocols.kerberos#536

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: simo@redhat.com (Simo Sorce)
Newsgroups: comp.protocols.kerberos
Subject: Re: Impersonate Kerberos user on HDFS
Date: Thu, 11 Apr 2024 15:41:57 -0400
Organization: Red Hat
Lines: 61
Message-ID: <mailman.84.1712864532.2322.kerberos@mit.edu>
References: <4FD44739-01B9-4D7A-B383-D3B7B4BFF047@free.fr>
<202404111224.43BCOTL9014923@hedwig.cmf.nrl.navy.mil>
<df90fa76175d10283acb659b62a9512f54a8dd8e.camel@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="8973"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Evolution 3.48.4 (3.48.4-1.fc38)
Cc: kerberos@mit.edu
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>, Philippe de Rochambeau
<phiroc@free.fr>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=plp1j4mv;
dkim=pass (1024-bit key,
unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
header.s=mimecast20190719 header.b=SBpjqa5F
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=kfDubvQu3sT6ltwImyXlVCO0n1CZbaA75TQCp3VKdo1OUOCXr3e8f2+iQLtxKT7Geki1iSMTRtF/aUQhOPzd65n94SB134kAGFmhXxJG16lkh8FY4c9nL7MkmT+V0ZZ1iL2zv2UG5jaov9vcZpvRNNR4INwhXR5FCnyUpewl6Lq+MiDqV1v3RJAOWU747x32EMdwfkEKA//Kj6bv2yu8n4rn9u4rq1amZJ4Rbm5aM06JVGUOBPFa/9uxYLfL4qGZDYjMUSIPtIdIGCU+UzLgjgO6D98PaJbaEGwR4m2ce+IySaR4DfUcXILZWWwXB/lghAFMqcT20hB6ec9Bzv7TQQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=u5dNF/AIdVqa59BRc0KbCsjj2ngqYiqmwM4ir/DvaHw=;
b=l7ExJwBIEAMAEupDvE7i/NShY+3jMTKN7vZpLa2OPJodbzfXjgwrt8aoJ7ntTtqfYO3rIf9J2TWfvCGlpQ+2JsDCqVKdoXJhrOMtTy0Y4jVqzarf4INiyCa7yuehf/Sr8V6KL+1WO7udiL0AWALLvM2f9pEYf26ewK/KNsXkTgCtcPZAtmcG7orx/JcEU4P+B7yM3RcKq2c5nI3wlkg3nDOQOSQjPiw+nY+RaHmgW1lccrQm7DmWzF7vHkxPVxc5aSQ5g9V3eQL77JuxarU3d403qtqPVq5dEi7DKkuyrM48P9xtvqIOIUIbVXhd3/T6+vYzKscO/VIIPxe8RBKdtQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
170.10.133.124) smtp.rcpttodomain=mit.edu smtp.mailfrom=redhat.com;
dmarc=pass (p=none sp=none pct=100) action=none header.from=redhat.com;
dkim=pass (signature was verified) header.d=redhat.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=u5dNF/AIdVqa59BRc0KbCsjj2ngqYiqmwM4ir/DvaHw=;
b=plp1j4mvPmXPZjd6d5IJP4aRRe6O1/d6MoiUQncy2co6hiWSKhEX0VmjOd8IA00YK4gzZCAAQpVKCTU5xZsWYNy6I4g7kQ0bGFkfYWwFhP5D3asSZP2LH/AZgM0k2HCuOjUVQ1obQTFHNGVeWRjPptGSWXiR24asTwfgNpv81ks=
Authentication-Results: spf=pass (sender IP is 170.10.133.124)
smtp.mailfrom=redhat.com; dkim=pass (signature was verified)
header.d=redhat.com;dmarc=pass action=none header.from=redhat.com;
Received-SPF: Pass (protection.outlook.com: domain of redhat.com designates
170.10.133.124 as permitted sender) receiver=protection.outlook.com;
client-ip=170.10.133.124; helo=us-smtp-delivery-124.mimecast.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1712864524;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=u5dNF/AIdVqa59BRc0KbCsjj2ngqYiqmwM4ir/DvaHw=;
b=SBpjqa5Fzuqs2pBp2hey+e/bBSib+UXbDR9bS+QHEf9rWLB7VpS68h+EI9ZtucPlyblBrH
WuY4mGjUynOoc71RLDRhWfIN7pI1PcqRPLI+ZqwHlzWUs9o8yutQflADiqhb3IGQs5JCso
B+dfvxMq6a8YxVehbdcx2uFD6pj+xNE=
X-MC-Unique: aAt-GL5rPRypbvmWN8YsCg-1
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1712864519; x=1713469319;
h=mime-version:user-agent:content-transfer-encoding:organization
:references:in-reply-to:date:cc:to:from:subject:message-id
:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=u5dNF/AIdVqa59BRc0KbCsjj2ngqYiqmwM4ir/DvaHw=;
b=ZeoQ7JcrHZHEJwY1+/qRbtIPH4AMT0pVclScDCasi+C+VWr6G9VZO7Pcb/dz04rJQF
qx3GBi+gK10zXSJho3+ygrPmmOctvbx+ws+ilq5sOC/GjLhn7tS3NvdqNyGucVtgksNk
rvcDOL5+Wo1VtNr1KXJWK+0PX5yGfMPVNWxx9xBquf5iTRUhWHX9QOMb6BwOlop9I2Kq
09fJdGPsUlA5OFFVarYHV/cbxSqBnvaqmb8tW++mjTlOt4+NCmTPcalm+GoySU3ED8jA
JfjQTFoDxaDEeW+mfiTGZImtKvYJXkCfxaBK+5fzpIUQktSkN3+WiCn4F5ZTxu+AMezD
cI8A==
X-Gm-Message-State: AOJu0YxQneg91aSAznaiB/Dk5yX39jHV2oDP/yj2hzg0c6HVw+wcHAcu
BDFy7DJ5jmNHp2HuZ3stKD7umWS8azsKYQQz9h+YN/3SgqZnd2MP6o1Bkrdkg2qirmMNqkmGUe5
a9E/rBcxaUivZCk8JPe7Rd0UCQ8LZ5HdaMQkqpz4SN0BCF2V4KvWb7Q==
X-Received: by 2002:ac8:5a15:0:b0:434:62f4:2505 with SMTP id
n21-20020ac85a15000000b0043462f42505mr805933qta.2.1712864519302;
Thu, 11 Apr 2024 12:41:59 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IFsXXwfEWutISn+umj3S490urI28ftKaL3iXcx2c2VLOHCsjjHdb8Y9oLVGN/CrnDihmQVoxA==
X-Received: by 2002:ac8:5a15:0:b0:434:62f4:2505 with SMTP id
n21-20020ac85a15000000b0043462f42505mr805916qta.2.1712864518925;
Thu, 11 Apr 2024 12:41:58 -0700 (PDT)
In-Reply-To: <202404111224.43BCOTL9014923@hedwig.cmf.nrl.navy.mil>
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CY4PEPF0000EE39:EE_|BL3PR01MB6868:EE_
X-MS-Office365-Filtering-Correlation-Id: f15e44f6-d06f-4225-b137-08dc5a5f778d
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: xYUvfd2GfRbYXxkJROUOR9eAlPyXgP9+nn5MYgpJwuuywh0yUHTkx+6rld9ugdDUOTsLAsIpKP2Ix/XerSiT15fWohDkWEj3b+Z2X+zBBjyYq0DoO7aFgzFW3upyy9sleHDLaxsDqCT7wSdMyczmoOfS5mktiDmK3uGcSiyv8YglMjywlke8s8Wwia5mVyybgzteEjGQeUYziiGS/gBeH7jsLuwhfGqwq2amDNWeGS8TLls/h/1idiRM5HMqax52hOwkYxhEomApcdWoFnJgI9Z/UAVmCtdMLhnjVFVBwb8GqDaIThptNjJu32454hZN3N5kfj35axvtlknZx9AtF7oSvUnUfEqr0eTTr+b5pebCsCT9nvPIWOzVPf8Kt+TYlvGWeoz6V1/TeTQtes6CdCT0e3O9C2MYPJNSXQ/lTvSFvrXCblJpK4Y94X/eioAuw0mDMSRYIewpOqMRJ8cAQi+BOHmZLEtOEr9arKaymgWe+7NBBmSdh1KLkG59B6o9LFZKGNwxuWilvkzZ8Sp1YPAZDqaDzfwxNeLvIRn+xrD5rBQwfta1mxV7FA4vhhjA/3ikIM9iXXrGjL4WipadOBBfmwGGW1hW9q7QyQtSGbhUrJJCfUFmzLSTXzVbRYfNsqJWkoEayAEgbNW+zLoQ7YSCZx8Bwy6KNAut3wINYPlxCKn3z8bp1vAxPMfpQ1zzUozsTvRcVbG5f3UlExUZ28/1VegYj5DM3RyD6UFpC54LHUn5EVUjRxTn8gGIf0xh
X-Forefront-Antispam-Report: CIP:170.10.133.124; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:us-smtp-delivery-124.mimecast.com;
PTR:us-smtp-delivery-124.mimecast.com; CAT:NONE;
SFS:(13230031)(61400799018)(376005)(48200799009); DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Apr 2024 19:42:05.2216 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f15e44f6-d06f-4225-b137-08dc5a5f778d
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CY4PEPF0000EE39.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL3PR01MB6868
X-MIME-Autoconverted: from quoted-printable to 8bit by mailman.mit.edu id
43BJg7j33360942
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <df90fa76175d10283acb659b62a9512f54a8dd8e.camel@redhat.com>
X-Mailman-Original-References: <4FD44739-01B9-4D7A-B383-D3B7B4BFF047@free.fr>
<202404111224.43BCOTL9014923@hedwig.cmf.nrl.navy.mil>
 by: Simo Sorce - Thu, 11 Apr 2024 19:41 UTC

On Thu, 2024-04-11 at 08:24 -0400, Ken Hornstein via Kerberos wrote:
> > - impersonate the user as, say, admin, with kinit; e.g. kinit <user>
> > - scan all HDFS directories and try to read or write
> >
> > Does anyone have suggestions?
>
> In general, your options are:
>
> - Have access to to user's key/password and generate a ticket for that
>   user using kinit. As someone else already noted, this isn't really
>   impersonating a user.
> - Have access to the TGS key and generate a TGT for that user (or any user).
>   This is generally referred to as "ticket printing". I don't _think_
>   the Kerberos distributions come with a utility to do that, but I
>   believe there are example programs floating around that do that. I
>   have to say that doing so would require access to the TGS key and
>   having that outside of your Kerberos database would be extremely
>   dangerous as if it was compromised your entire realm would be
>   compromised.
> - Have access to the HDFS service key and print a service ticket for that
>   user. Again, I don't know if the Kerberos distributions have such
>   a utility, but this would be less dangerous (you already have to have
>   the HDFS key on disk somewhere). I don't know how Kerberos works with
>   HDFS, but if there are multiple service tickets for a HDFS filesystem
>   spread across multiple servers that might be complicated.

Modern kerberos implementation additionally allow to impersonate users
via s4u2self and s4u2proxy services (implementations like AD and
FreeIPA provide this but standard MIT db does not) without having to
obtain any secret credential out of services.

That said, trying to read/write files can have unwanted side effects on
a large shared file system.

Posix ACLS are not that hard to interpret but group memberships can get
tricky to resolve w/o access to how the HDFS serve resolves them (or
the KDC resolves them in case AD is used the the MS-PAC is used by
Hadoop to infer group membership of a user by its authentication
ticket).

Philippe,
this is not a trivial problem, may make sense to consider what brought
you to this point and if there is any better way to handle the problem
at hand.

Simo.

--
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor