Each service in HDP must have its own service principal with administrative permissions to use the kadmin command. Authentication credentials for principals are stored in a keytab file because services do not log in with a password to acquire their tickets. The keytab file is extracted from the Kerberos database and stored locally with the service principal. The randkey option to the kadmin command is used to generate the password.
You must create the principals using the mandatory naming conventions in the Service Principles table below. Each service principal's name appends the fully qualified domain name of the host on which it is running. This provides a unique principal name for services that run on multiple hosts, such as DataNodes and TaskTrackers. The addition of the hostname serves to distinguish, for example, a request from DataNode A from a request from DataNode B. This is important for two reasons:
If the Kerberos credentials for one DataNode are compromised, it does not automatically lead to all DataNodes being compromised
If multiple DataNodes have exactly the same principal and are simultaneously connecting to the NameNode, and if the Kerberos authenticator being sent happens to have same timestamp, then the authentication would be rejected as a replay request.
Note | |
---|---|
The NameNode, Secondary NameNode, and Oozie require two principals each. |
Note | |
---|---|
If you are configuring High Availability (HA) for a Quorom-based NameNode, you must also generate a principle and keytab for the JournalNode service. In addition, HA requires two NameNodes, rather than a NameNode and a Secondary NameNode. HA uses the second as a standby NameNode. Both the first and the standby NameNodes require their own keytab files. |
To create service principals and Keytab Files for HDP services:
Step 1: Create a service principal for each
service principal using the kadmin
utility:
kadmin: addprinc -randkey $<principal_name>/<fully.qualified.domain.name>@YOUR-REALM.COM
Table 18.1. Service Principals
Service | Component | Mandatory Principal Name |
---|---|---|
HDFS | NameNode |
|
HDFS | NameNode HTTP |
|
HDFS | SecondaryNameNode | nn /$FQDN |
HDFS | SecondaryNameNode HTTP | HTTP /$FQDN |
HDFS | DataNode |
|
MR2 | History Server | jhs /$FQDN |
MR2 | History Server HTTP | HTTP /$FQDN |
YARN | ResourceManager | rm /$FQDN |
YARN | NodeManager | nm /$FQDN |
Oozie | Oozie Server |
|
Oozie | Oozie HTTP |
|
Hive |
Hive Metastore HiveServer2 |
|
Hive | WebHCat |
|
HBase | MasterServer |
|
HBase | RegionServer |
|
ZooKeeper | ZooKeeper |
|
Nagios Server | Nagios | nagios /$FQDN |
JournalNode Server[a] | JournalNode | jn /$FQDN |
[a] Only required if you are setting up Quorom-based NameNode HA. |
For example: To create the principal for a DataNode service, issue this command:
kadmin: addprinc -randkey dn/<datanode-host>@EXAMPLE.COM
Step 2: Extract the related keytab file and place
it in the keytab directory (by default /etc/krb5.keytab
) of the
appropriate respective
components:
kadmin: xst -k $<keytab_file_name> $<principal_name>/fully.qualified.domain.name
You must use the mandatory names for the $<keytab_file_name> variable shown in this table.
Table 18.2. Service Keytab File Names
Component | Principal Name | Mandatory Keytab File Name |
---|---|---|
NameNode | nn /$FQDN | nn.service.keytab
|
NameNode HTTP | HTTP /$FQDN | spnego.service.keytab |
SecondaryNameNode | nn /$FQDN |
nn.service.keytab
|
SecondaryNameNode HTTP | HTTP /$FQDN | spnego.service.keytab |
DataNode | dn /$FQDN | dn.service.keytab |
MR2 History Server | jhs /$FQDN | nm.service.keytab |
MR2 History Server HTTP | HTTP /$FQDN | spnego.service.keytab |
YARN | rm /$FQDN |
|
YARN | nm /$FQDN |
|
Oozie Server | oozie /$FQDN | oozie.service.keytab |
Oozie HTTP | HTTP /$FQDN | spnego.service.keytab |
Hive Metastore HiveServer2 | hive /$FQDN |
|
WebHCat | HTTP /$FQDN | spnego.service.keytab |
HBase Master Server | hbase /$FQDN |
|
HBase RegionServer | hbase /$FQDN |
|
ZooKeeper | zookeeper /$FQDN |
|
Nagios Server | nagios /$FQDN | nagios.service.keytab |
Journal Server[a] | jn /$FQDN | jn.service.keytab |
[a] Only required if you are setting up NameNode HA. |
For example: To create the keytab files for the NameNode, issue these commands:
kadmin: xst -k nn.service.keytab nn/<namenode-host> kadmin: xst -k spnego.service.keytab HTTP/<namenode-host>
When
you have created the keytab files, copy them to the keytab
directory of the respective service hosts.
Step 3: Verify that the correct keytab files and
principals are associated with the correct service using the
klist
command. For example, on the
NameNode:
klist –k -t /etc/security/nn.service.keytab
Do this on each respective service in your cluster.