[lug] Kerberos question

[Bear Giles]

Hi, I mentioned Kerberos in passing in my intro at the last BLUG meeting
and a "best practices" question has come up.

We are using Kerberos authentication to connect to our Hive cluster. It
works fine in the development environment where we don't have to worry
about keytab security. What we're uncertain about is the ops environment
where we need to treat the keytab as sensitive as a private key. Easy on
your own system, not so easy in a hosted environment.

(We're the host, btw. We're also checking with our SME.)

I've tried to use digital certificates private keys as an analogue but that
doesn't take us very far since private keys can be stored in encrypted
keystores. That means we can store the keystore as a regular uploaded file
and keep the encryption key in more secure storage. I don't think there's a
way to encrypt keytabs.

Does anyone have any experience with this? We can probably fallback to a
username/password combo but I think everyone would prefer to use keytabs if
possible.

Thanks,

Bear
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20160615/3caeb36d/attachment.html>