4.2. Configure your existing KDC server - Hortonworks Data Platform

Modify the realm property for krb5.conf and kdc.conf file.

	Note
	Ensure that the realm value in your `krb5.conf` file matches with the default value for `realm` property in your `gsInstaller.properties` file.

Update the realm property in the kdc.conf file and copy this file to each node in your cluster.

Create the principals for all services in your Hadoop cluster.

Execute the following command:

kadmin: addprinc -randkey $$principal_name/fully.qualified.domain.name@YOUR-REALM.COM

The $principal_name must use the following mandatory naming conventions:

	Important
	Upper case name in the FQDN part of the principals does not work with Kerberos. (JIRA: HADOOP-7988)

Table 3.3. Secure deployment - Mandatory naming conventions for principals
Service Name	Principal Name (mandatory naming convention)
NameNode	nn and HTTP
Secondary NameNode	nn, HTTP
JobTracker	jt
TaskTracker	tt
DataNode	dn
HBase Master	hbase
HBase RegionServer	hbase
ZooKeeper	zookeeper
Hive Metastore	hive
Oozie	oozie
Oozie	HTTP
WebHCat	HTTP

Set permissions for keytabs directory to 755.

	Note
	The location of the keytab directory is specified by the `keytabdir` property in the `gsInstaller.properties` file.

Create keytab files for all services and assign required permissions.

kadmin: xst -norandkey -k $keytab_file_name $principal_name/fully.qualified.domain.name

where, the $keytab_file_name uses the following mandatory naming conventions:

Table 3.4. Secure deployment - Mandatory naming conventions for keytab files
Service Name	Keytab File Name	Principal Name	Permissions	Owner
NameNode	`nn.service.keytab`	`nn`	`700`	`hdfs:hadoop`
NameNode	`spnego.service.keytab`	`HTTP`	`700`	`hdfs:hadoop`
Secondary NameNode	`nn.service.keytab`	`nn`	`700`	`hdfs:hadoop`
Secondary NameNode	`spnego.service.keytab`	`HTTP`	`700`	`hdfs:hadoop`
JobTracker	`jt.service.keytab`	`jt`	`700`	`mapred:hadoop`
TaskTracker	`tt.service.keytab`	`tt`	`700`	`mapred:hadoop`
DataNode	`dn.service.keytab`	`dn`	`700`	`hdfs:hadoop`
HBase Master	`hbase.service.keytab`	`hbase`	`700`	`hbase:hadoop`
HBase RegionServer	`hbase.service.keytab`	`hbase`	`700`	`hbase:hadoop`
ZooKeeper	`zookeeper.service.keytab`	`zookeeper`	`700`	`zookeeper:hadoop`
Hive Metastore	`hive.service.keytab`	`hive`	`700`	`hive:hadoop`
Oozie	`oozie.service.keytab`	`oozie`	`700`	`oozie:hadoop`
Oozie	`spnego.service.keytab`	`HTTP`	`700`	`oozie:hadoop`
WebHCat	`spnego.service.keytab`	`HTTP`	`700`	`webhcat:hadoop`

On each of the node in your cluster, change directory to the keytab directory (the location is specified by the keytabdir property in the gsInstaller.properties file).

Copy the appropriate keytab file on each of node in your cluster.

Follow the steps listed in Step 2-2 through Step 2-4 above for creating keytab files and principals for the following users. Use the following mandatory naming conventions:

Table 3.5. Secure deployment - Mandatory naming conventions for HDFS service and Smoke test user's keytabs and host principals
User	Keytab File Name	Principal Name	Permissions
`$hdfsuser:hadoop`	`$hdfsuser.headless.keytab`	`$hdfsuser`	`700`
`$smoke_test_user:hadoop`	`$smoke_test_user.headless.keytab`	`$smoke_test_user`	`700`
`$hbaseuser:hadoop`	`$hbaseuser.headless.keytab`	`$hbaseuser`	`700`

where

$hdfsuser is the user owning HDFS services. For example, hdfs.
$smoke_test_user is the user that executes smoke tests to test if your Hadoop cluster is successfully deployed. By default, the value is hdptestuser.
$hbaseuser is the user owning HBase services. For example, hbase.