Adding Kerberos service principals for each node in a cluster
Steps for adding Kerberos principals.
Prerequisites
- Installed and verified the software as described in Setting up your environment.
- An existing Kerberos domain.
- An existing KDC is running.
- Admin rights to the KDC.
Procedure
-
On each node, note the fully qualified domain name (FQDN) of the machine:
$ hostname --fqdn
node1.example.com
-
On the Kerberos Key Distribution Center (KDC), run the
kadmin
command:kadmin -p user_name/admin addprinc -randkey dse_user/FQDN addprinc -randkey HTTP/FQDN quit
where
Parameter Description addprinc
The add_principal
command requires theadd
administrative privilege and creates the new principal.dse_user
This value depends on the type of install: - Installer-Services and Package installations: usually cassandra
- Package installations: the name of the UNIX user that starts the service
FQDN
The fully qualified domain name of the host where DataStax Enterprise is running. -randkey
Sets the key of the principal to a random value. Example:kadmin -p parzival/admin addprinc -randkey cassandra/node1.example.com addprinc -randkey HTTP/node1.example.com addprinc -randkey cassandra/node2.example.com addprinc -randkey HTTP/node2.example.com
- Optional:
Verify that the principals have been added by running the
listprincs
command withinkadmin
:$ listprincs
where node*.example.com is the FQDN and EXAMPLE.COM is your Kerberos realm, which must be all uppercase.HTTP/node1.example.com@EXAMPLE.COM HTTP/node2.example.com@EXAMPLE.COM cassandra/node1.example.com@EXAMPLE.COM cassandra/node2.example.com@EXAMPLE.COM kadmin/admin@EXAMPLE.COM
-
Create a keytab file for each node with the principals keys for that
node:
kadmin -p user_name/admin ktadd -k dse.keytab cassandra/FQDN ktadd -k dse.keytab HTTP/FQDN quit
where
ktadd -k
creates or appends a keytab for the dse and HTTP principals.Example:kadmin -p parzival/admin ktadd -k /tmp/node1.keytab cassandra/node1.example.com ktadd -k /tmp/node1.keytab HTTP/node1.example.com ktadd -k /tmp/node2.keytab cassandra/node2.example.com ktadd -k /tmp/node2.keytab HTTP/node2.example.com
- Optional:
Use the
klist
command to view your principals and keytabs:Node1:$ sudo klist -e -kt /var/tmp/dse.keytab
where:Keytab name: FILE:/tmp/dse.keytab KVNO Timestamp Principal ---- ---------------- ---------------------------------------------- 2 14/02/16 22:03 HTTP/node1FQDN@YOUR_REALM (des3-cbc-sha1) 2 14/02/16 22:03 HTTP/node1FQDN@YOUR_REALM (arcfour-hmac) 2 14/02/16 22:03 HTTP/node1FQDN@YOUR_REALM (des-hmac-sha1) 2 14/02/16 22:03 HTTP/node1FQDN@YOUR_REALM (des-cbc-md5) 2 14/02/16 22:03 cassandra/node1FQDN@YOUR_REALM (des3-cbc-sha1) 2 14/02/16 22:03 cassandra/node1FQDN@YOUR_REALM (arcfour-hmac) 2 14/02/16 22:03 cassandra/node1FQDN@YOUR_REALM (des-hmac-sha1) 2 14/02/16 22:03 cassandra/node1FQDN@YOUR_REALM (des-cbc-md5)
-e
displays the encryption type and-kt
displays the keytab file and its timestamp. -
Copy the node-specific keytab files from the KDC machine to the nodes:
$ scp /tmp/node1.keytab dse_user@node1.FQDN:/etc/dse/ $ scp /tmp/node2.keytab dse_user@node2.FQDN:/etc/dse/
Example:$ scp /tmp/node1.keytab cassandra@node1.example.com:/etc/dse/ $ scp /tmp/node2.keytab cassandra@node2.example.com:/etc/dse/
-
On each node, change the name of the keytab file to
dse.keytab.
Make the file names identical across all the nodes to ensure that the entry in each node's dse.yaml is the same.
Example:
$ hostname --fqdn node1.example.com $ mv /etc/dse/node1.keytab /etc/dse/dse.keytab
-
Change the permissions on dse.keytab so that only the
dse_user
user can read and write to the keytab file. For example:$ sudo chown cassandra:cassandra /etc/dse/dse.keytab $ sudo chmod 600 /etc/dse/dse.keytab