1.4. Creating Service Principals and Keytab Files for HDP

Each service in HDP must have its own principal. As services do not login with a password to acquire their tickets, their principal's authentication credentials are stored in a keytab file, which is extracted from the Kerberos database and stored locally with the service principal. First you must create the principal, using mandatory naming conventions. Then you must create the keytab file with that principal's information and copy the file to the keytab directory on the appropriate service host.

  1. Create a service principal using the kadmin utility:

    kadmin: addprinc -randkey $principal_name/$fully.qualified.domain.name@YOUR-REALM.COM

    You must have a principal with administrative permissions to use this command. The randkey is used to generate the password.

    Note that in the example each service principal's name has appended to it the fully qualified domain name of the host on which it is running. This is to provide a unique principal name for services that run on multiple hosts, like DataNodes and TaskTrackers.

    The addition of the hostname serves to distinguish, for example, a request from DataNode A from a request from DataNode B. This is important for two reasons:

    • If the Kerberos credentials for one DataNode are compromised, it does not automatically lead to all DataNodes being compromised

    • If multiple DataNodes have exactly the same principal and are simultaneously connecting to the NameNode, and if the Kerberos authenticator being sent happens to have same timestamp, then the authentication would be rejected as a replay request.

    The $principal_name part of the name must match the values in the table below:

    Note that the NameNode, Secondary NameNode, and Oozie require two principals each.

     

    Table 13.1. Service Principal Names

    Service NameMandatory Principal Name

    NameNode

    nn AND HTTP

    Secondary NameNode

    nn AND HTTP

    JobTracker

    jt

    TaskTracker

    tt

    DataNode

    dn

    HBase Master

    hbase

    HBase RegionServer

    hbase

    ZooKeeper

    zookeeper

    HCatalog Server

    hcat

    Oozie

    oozie and HTTP

    WebHCat (Templeton)

    HTTP


    For example: To create the principal for a DataNode service, issue this command:

    kadmin: addprinc -randkey dn/$DataNode-Host@EXAMPLE.COM 
  2. Extract the related keytab file and place it in the keytab directory (by default /etc/krb5.keytab) of the appropriate respective components:

    kadmin: xst -norandkey -k $keytab_file_name $principal_name/fully.qualified.domain.name

    You must use the mandatory names for the $keytab_file_name; variable shown in this table.

     

    Table 13.2. Service Keytab File Names

    Service NameMandatory Keytab File Name

    NameNode

    nn.service.keytab

    AND

    spnego.service.keytab

    Secondary NameNode

    nn.service.keytab

    AND

    spnego.service.keytab

    JobTracker

    jt.service.keytab

    TaskTracker

    tt.service.keytab

    DataNode

    dn.service.keytab

    HBase Master

    hbase.service.keytab

    HBase RegionServer

    hbase.service.keytab

    ZooKeeper

    zookeeper.service.keytab

    HCatalog Server

    hcat.service.keytab

    Oozie

    oozie.service.keytab

    AND

    spnego.service.keytab

    Templeton

    spnego.service.keytab


    For example: To create the keytab files for the NameNode, issue these commands:

     kadmin: xst -k nn.service.keytab nn/<namenode-host> 
    kadmin: xst -k spnego.service.keytab HTTP/<namenode-host>  

    When you have created the keytab files, copy them to the keytab directory of the respective service hosts.

  3. Set appropriate permissions for the keytabs.

    1. Secure all the keytabs. Execute the following command on all the hosts on your cluster:

      chown -R root:hadoop /etc/security/keytabs
      chmod -R g+rX,o= /etc/security/keytabs
    2. On the NameNode, execute the following command:

      chown hdfs:hadoop /etc/security/keytabs/nn.service.keytab 
      chmod 400 /etc/security/keytabs/nn.service.keytab

    3. Execute the following command on all the slave nodes:

      chown hdfs:hadoop /etc/security/keytabs/dn.service.keytab 
      chown mapred:hadoop /etc/security/keytabs/tt.service.keytab 
      chmod 400 /etc/security/keytabs/*.service.keytab

  4. Verify that the correct keytab files and principals are associated with the correct service using the klist command. For example, on the NameNode:

    klist –k -t /etc/security/nn.service.keytab

    Do this on each respective service in your cluster.


loading table of contents...