Adding Kerberos service principals for each node in a cluster

Steps for adding Kerberos principals.

Prerequisites

  • Installed and verified the software as described in Setting up your environment.
  • An existing Kerberos domain.
  • An existing KDC is running.
  • Admin rights to the KDC.

Procedure

  1. On each node, note the fully qualified domain name (FQDN) of the machine: 
    $ hostname --fqdn
    node1.example.com
  2. On the Kerberos Key Distribution Center (KDC), run the kadmin command: 
    kadmin -p user_name/admin
addprinc -randkey dse_user/FQDN
addprinc -randkey HTTP/FQDN
quit

    where

    Parameter Description
    addprinc The add_principal command requires the add administrative privilege and creates the new principal.
    dse_user This value depends on the type of install:
    • Installer-Services and Package installations: usually cassandra
    • Package installations: the name of the UNIX user that starts the service
    FQDN The fully qualified domain name of the host where DataStax Enterprise is running.
    -randkey Sets the key of the principal to a random value.
    Example:
    kadmin -p parzival/admin
addprinc -randkey cassandra/node1.example.com
addprinc -randkey HTTP/node1.example.com
addprinc -randkey cassandra/node2.example.com
addprinc -randkey HTTP/node2.example.com
  3. Optional: Verify that the principals have been added by running the listprincs command within kadmin: 
    $ listprincs
    HTTP/node1.example.com@EXAMPLE.COM
HTTP/node2.example.com@EXAMPLE.COM
cassandra/node1.example.com@EXAMPLE.COM
cassandra/node2.example.com@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
    where node*.example.com is the FQDN and EXAMPLE.COM is your Kerberos realm, which must be all uppercase.
  4. Create a keytab file for each node with the principals keys for that node: 
    kadmin -p user_name/admin
ktadd -k dse.keytab cassandra/FQDN
ktadd -k dse.keytab HTTP/FQDN
quit

    where ktadd -k creates or appends a keytab for the dse and HTTP principals.

    Example:
    kadmin -p parzival/admin
ktadd -k /tmp/node1.keytab cassandra/node1.example.com
ktadd -k /tmp/node1.keytab HTTP/node1.example.com
ktadd -k /tmp/node2.keytab cassandra/node2.example.com
ktadd -k /tmp/node2.keytab HTTP/node2.example.com
  5. Optional: Use the klist command to view your principals and keytabs:
    Node1:
    $ sudo klist -e -kt /var/tmp/dse.keytab
    
Keytab name: FILE:/tmp/dse.keytab
KVNO Timestamp        Principal
---- ---------------- ----------------------------------------------
2    14/02/16 22:03   HTTP/node1FQDN@YOUR_REALM (des3-cbc-sha1)
2    14/02/16 22:03   HTTP/node1FQDN@YOUR_REALM (arcfour-hmac)
2    14/02/16 22:03   HTTP/node1FQDN@YOUR_REALM (des-hmac-sha1)
2    14/02/16 22:03   HTTP/node1FQDN@YOUR_REALM (des-cbc-md5)
2    14/02/16 22:03   cassandra/node1FQDN@YOUR_REALM (des3-cbc-sha1)
2    14/02/16 22:03   cassandra/node1FQDN@YOUR_REALM (arcfour-hmac)
2    14/02/16 22:03   cassandra/node1FQDN@YOUR_REALM (des-hmac-sha1)
2    14/02/16 22:03   cassandra/node1FQDN@YOUR_REALM (des-cbc-md5)
    where: -e displays the encryption type and -kt displays the keytab file and its timestamp.
  6. Copy the node-specific keytab files from the KDC machine to the nodes: 
    $ scp /tmp/node1.keytab dse_user@node1.FQDN:/etc/dse/
$ scp /tmp/node2.keytab dse_user@node2.FQDN:/etc/dse/
    Example:
    $ scp /tmp/node1.keytab cassandra@node1.example.com:/etc/dse/
$ scp /tmp/node2.keytab cassandra@node2.example.com:/etc/dse/
  7. On each node, change the name of the keytab file to dse.keytab.

    Make the file names identical across all the nodes to ensure that the entry in each node's dse.yaml is the same.

    Example:

    $ hostname --fqdn
node1.example.com
$ mv /etc/dse/node1.keytab /etc/dse/dse.keytab
  8. Change the permissions on dse.keytab so that only the dse_user user can read and write to the keytab file. For example: 
    $ sudo chown cassandra:cassandra /etc/dse/dse.keytab
$ sudo chmod 600 /etc/dse/dse.keytab

What's next

Enabling DataStax Enterprise for Kerberos authentication