On 10/04/2014 06:17 PM, Nordgren, Bryce L -FS wrote:
>> I would be very happy to learn that this is a mistake, but
their page is clear
> to the point of being emphatic.
> First they talk about S4u2proxy and s4u2self at the same time on the same
> page and it might be a bit confusing.
> S4u2proxy works as i described. S4u2self allows a service A to acquire a ticket
> on user's behalf for itself. This is controlled by central policy. Which
> can do that for which users.
> If them this service can use s4u2proxy then it can impersonate user but only
> for the purposes of working with service B and not in general. User does not
> provide any keys for that.
> Yes client does not have any control. It is totally abstracted from the client by
> service A. The whole intent is that the control is between configuration of
> service A and policies on the KDC and client does not need to know anything.
> AMO it is big win not a problem.
OK, so the default rocks config is that authentication to the compute nodes is handled
via ssh key, and the queue master has access to everyone's private key by virtue of
being a privileged process on the head node.
IN case of S4U2self/proxy you do not need to give the master private
keys to impersonate people. You just need to have a policy saying that
it can impersonate using its own key. That is the difference.
This proposed situation is functionally similar in that the KDC would be configured to
allow the queue manager to impersonate users as necessary in order to start jobs. The
impersonation can take the form of a forwardable TGT (I hope) which can be used to start
jobs via ssh across the cluster, providing each node access to data on shared filesystems.
With S4U2 the TGT is not forwarded. When TGT is forwarded them the
impersonation is unconstrained. With S4U2 the delegation is constrained
to impersonate only in relation to the specified target services and not
The main improvement is that long term secrets are better protected (publishing home
directories containing private keys to the cluster via NFS w/sec=sys vs. a single
unpublished keytab which unlocks all identities.)
As I understand it put_cred will need to be rewritten to support S4U mechanisms, in case
the job has been queued long enough that the tgt has expired.
I think so.
A remaining question is "what prevents the tgt/service tickets from expiring during
a running job causing my process to lose access to my shared filesystem"? Would each
compute node need to be running a service which can s4u2self/proxy? Is that service
There are two parts.
First of all gss-proxy helps you with privilege separation and s4u2 part.
Second the kerberos library itself is now capable of acquiring the
ticket on demand as needed. So even if there is no ticket available
because it expired the service would be able to conjure one on demand.
A second barrage of questions: when I was experimenting with PKINIT, the MIT Kerberos KDC
would not issue a TGT unless the user existed in its local database, and the local
database needed to have principals in the local realm. Can you S4U2self/proxy to
impersonate a non-local user without actually creating a cross-realm principal in the
local KDC (e.g., client principal is user/AD.EXAMPLE.COM(a)LOCAL.EXAMPLE.COM)? Can you
S4U2self/proxy to impersonate a user where the user's realm is not local (e.g.
user(a)AD.EXAMPLE.COM)? The latter is ideal, and maybe necessary to avoid a messy
many-to-one principal to identity mapping (not to mention a fundamental overhaul of
sssd's concept of "domains".)
I do not think it can. However with some sort of SAML bridging between
realms it might be able to in future.
For example you have an instance of a service that does file operations
on your behalf. The file operations are kerberized. The service is a web
You have user U in realm A and corresponding user in realm B. Realm A is
the home user realm (AD) and B is the service realm (in this case NFS
storage realm but OpenStack can be another example).
User hits web interface of the service; service redirects user to IdP;
IdP is in realm A; it uses kerberos ticket in realm A for IdP to
authenticate user; IdP creates and assertion and redirects back to
service; service takes assertion, maps it to account in realm B and does
s4u2self/proxy on user behalf. No the operation can be complete in realm B.
> What I was trying to say is that whether you give some one your keytab or
> your pki pair it really does not matter. Then they have them and they can do
> kinit or pkinit on your behalf that would result in the TGT.
My apologies for obfuscating the difference with my ignorance.
I fear I misspoke when I assumed that one could use the proxy certificate (PC) to PKINIT.
The subject of the PC is a kind of "augmented" user subject (issuer+single
common name element per proxy).  A PC is also forbidden to have a
"subjectAltName" , which is required by a PKINIT-able kx509 certificate. I
think these PCs are for use with 'GSI-enabled OpenSSH'  which is available in
EPEL and Fedora. Kerberos can't use them, but potentially an S4U enabled gateway
An RFC3280 Proxy Certificate does not expose your private key. The derived keypair (which
is given to the service but which is not exposed to you) is designed to be more similar to
a longish-lived proxiable service ticket than a password/keytab due to its limited
lifetime and embedded constraints. The proxy certificate should spell out the constraints
on the delegation using publicly documented policy languages, whereas providing a keytab
is unconstrained. (The "catch" is that there are no currently defined languages
in the IANA registry .) S4U constraints are KDC implementation specific and
not-communicate-able between clusters within a grid (and I suspect they are not embodied
in the ticket either). I do not believe there is a means to translate standardized
constraints in the PC (assuming a policy language is developed) to the Kerberos ticketing
system. For that matter, I do not believe I have seen evidence that Kerberos tickets have
a mechanism to refer to a vocabulary to express constraints. If a gateway were to exist,
it would have to restrict itself to requesting proxiable service tickets for the
particular services delegated in the PC. (Or grant a TGT for the special
The question is: Is constraint really necessary, or is delegation all that is required?
The most common use case may be to execute your job as you...Constraining things may just
lead to problems...
The downside, of course, is that a PC is not a Kerberos ticket and doesn't provide
access to a Kerberos-protected NFS export, even when it allows you to login and execute
code. Also, translating from GSI certificates to local identities is a big blank spot on
my mental map. Here there be dragons. Fundamentally I don't want to learn anything
new, I want cluster user management to leverage the same set of tools the rest of my
machines do. :) Like FreeIPA+views/sssd. Add a gateway if you join a grid.
This electronic message contains information generated by the USDA solely for the
intended recipients. Any unauthorized interception of this message or the use or
disclosure of the information it contains may violate the law and subject the violator to
civil or criminal penalties. If you believe you have received this message in error,
please notify the sender and delete the email immediately.
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.