在Uber自动化Kerberos Keytab轮换
We previously published a blog about how we scaled adoption of MIT Kerberos™ at Uber. We built an automation system called KDP (Keytab Distribution Pipeline) that generates and distributes Kerberos keytabs (credentials) to systems that must authenticate with Kerberos.
我们之前发布了一篇关于如何在 Uber 扩展 MIT Kerberos™ 采用的博客。我们构建了一个名为 KDP(Keytab Distribution Pipeline)的自动化系统,该系统生成并分发 Kerberos keytabs(凭证)给必须使用 Kerberos 进行身份验证的系统。
With the help of this system, we drove adoption of Kerberos authentication for several critical use cases. Some of the key use cases include:
在这个系统的帮助下,我们推动了 Kerberos 认证在几个关键用例中的采用。一些关键用例包括:
- Fetching search indexes from Apache HDFS™ that powers Uber Eats search
- 从支持 Uber Eats 搜索的 Apache HDFS™ 获取搜索索引
- Enabling Apache Flink® security for several hundreds of streaming analytics applications
- 为数百个流分析应用启用 Apache Flink® 安全性
- Authentication for all 250 Apache Zookeeper™ clusters used by data infrastructure
- 用于数据基础设施的所有 250 个 Apache Zookeeper™ 集群的身份验证
- Batch analytics infrastructure authentication comprising of 20+ systems
- 包含 20 多个系统的批量分析基础设施身份验证
Growth in use cases drove up the number of keytabs to over 100,000 over 5 years. Due to the volume and security requirements of the use cases it supports, we chose to enable periodic rotation for Kerberos keytabs.
使用案例的增长使得 keytabs 的数量在 5 年内超过 100,000。由于支持的使用案例的数量和安全要求,我们选择为 Kerberos keytabs 启用定期轮换。
Rotating over 100,000 Kerberos keytabs presents significant challenges, primarily due to two key factors:
轮换超过 100,000 个 Kerberos keytabs 具有显著挑战,主要由于两个关键因素:
- Scale and complexity: Keytabs are distributed across thousands of applications and nodes, making manual rotation infeasible. There are no Kerberos APIs, open-source tools, or industry references for automating this at such scale, necessitating a custom solution. Rotating keytabs also requires coordination with Kerberos KDC and synchronization with the client, since Kerberos is based on symmetric key cryptography.
- 规模和复杂性: Keytabs 分布在数千个应用程序和节点上,使得手动轮换不可行。没有 Kerberos API、开源工具或行业参考可以在如此规模上自动化这一过程,因此需要定制解决方案。轮换 keytabs 还需要与 Ker...