Adding Kerberos service principals for each node in a cluster
Steps for adding Kerberos principals.
Prerequisites
- Installed and verified the software as described in Setting up your environment.
- An existing Kerberos domain.
- An existing KDC is running.
- Admin rights to the KDC.
Procedure
-
On each node, note the fully qualified domain name (FQDN) of the machine:
hostname --fqdn
node1.example.com
-
On the Kerberos Key Distribution Center (KDC), run the
kadmin
command:kadmin -p admin_user/admin addprinc -randkey dse/FQDN addprinc -randkey HTTP/FQDN quit
where
Parameter Description addprinc
The add_principal
command requires theadd
administrative privilege and creates the new principal.dse
The service name is dse. FQDN
The fully qualified domain name of the host where DataStax Enterprise is running. -randkey
Sets the key of the principal to a random value. Example:kadmin -p admin_user/admin addprinc -randkey dse/node1.example.com addprinc -randkey HTTP/node1.example.com addprinc -randkey dse/node2.example.com addprinc -randkey HTTP/node2.example.com
- Optional:
Verify that the principals have been added by running the
listprincs
command withinkadmin
:listprincs
where node*.example.com is the FQDN and EXAMPLE.COM is your Kerberos realm, which must be all uppercase.HTTP/node1.example.com@EXAMPLE.COM HTTP/node2.example.com@EXAMPLE.COM dse/node1.example.com@EXAMPLE.COM dse/node2.example.com@EXAMPLE.COM kadmin/admin@EXAMPLE.COM
-
Create a keytab file for each node with the principals keys for that
node:
kadmin -p admin_user/admin ktadd -k dse.keytab dse/FQDN ktadd -k dse.keytab HTTP/FQDN quit
where
ktadd -k
creates or appends a keytab for the dse and HTTP principals.Example:kadmin -p admin_user/admin ktadd -k /tmp/node1.keytab dse/node1.example.com ktadd -k /tmp/node1.keytab HTTP/node1.example.com ktadd -k /tmp/node2.keytab dse/node2.example.com ktadd -k /tmp/node2.keytab HTTP/node2.example.com
- Optional:
Use the
klist
command to view your principals and keytabs:Node1:sudo klist -e -kt /var/tmp/dse.keytab
where:Keytab name: FILE:/tmp/dse.keytab KVNO Timestamp Principal ---- ---------------- ---------------------------------------------- 2 14/02/16 22:03 HTTP/node1FQDN@YOUR_REALM (des3-cbc-sha1) 2 14/02/16 22:03 HTTP/node1FQDN@YOUR_REALM (arcfour-hmac) 2 14/02/16 22:03 HTTP/node1FQDN@YOUR_REALM (des-hmac-sha1) 2 14/02/16 22:03 HTTP/node1FQDN@YOUR_REALM (des-cbc-md5) 2 14/02/16 22:03 dse/node1FQDN@YOUR_REALM (des3-cbc-sha1) 2 14/02/16 22:03 dse/node1FQDN@YOUR_REALM (arcfour-hmac) 2 14/02/16 22:03 dse/node1FQDN@YOUR_REALM (des-hmac-sha1) 2 14/02/16 22:03 dse/node1FQDN@YOUR_REALM (des-cbc-md5)
-e
displays the encryption type and-kt
displays the keytab file and its timestamp. -
Copy the node-specific keytab files from the KDC machine to the nodes:
$ scp /tmp/node1.keytab dse@node1.FQDN:/etc/dse/ $ scp /tmp/node2.keytab dse@node2.FQDN:/etc/dse/
-
On each node, change the name of the keytab file to
dse.keytab.
Make the file names identical across all the nodes to ensure that the entry in each node's dse.yaml is the same.
Example:
hostname --fqdn node1.example.com $ mv /etc/dse/node1.keytab /etc/dse/dse.keytab
-
Change the permissions on dse.keytab so that only the
dse_user
user can read and write to the keytab file. For example:sudo chown cassandra:cassandra /etc/dse/dse.keytab $ sudo chmod 600 /etc/dse/dse.keytab
The location of the dse.yaml file depends on the type of installation:Installer-Services /etc/dse/dse.yaml Package installations /etc/dse/dse.yaml Installer-No Services install_location/resources/dse/conf/dse.yaml Tarball installations install_location/resources/dse/conf/dse.yaml -
To use a Kerberos non-default REALM with Hadoop, you must specify mapping rules
to map the Kerberos principal to the local UNIX user name. Add this
configuration key to the resources/hadoop/conf/dse-core.xml
file:
<property> <name>hadoop.security.auth_to_local</name> <value> RULE:[1:$1](.*)s/.*/\${username}/ DEFAULT </value> </property>
The default location of the dse-core.xml Hadoop configuration file depends on the type of installation:Installer-Services and Package installations /etc/dse/hadoop/conf Installer-No Services and Tarball installations install_location/resources/hadoop/conf/