Adding Kerberos service principals for each node in a cluster 

Steps for adding Kerberos principals.

Prerequisites

  • Installed and verified the software as described in Setting up your environment.
  • An existing Kerberos domain.
  • An existing KDC is running.
  • Admin rights to the KDC.

Procedure

  1. On each node, note the fully qualified domain name (FQDN) of the machine:
    $ hostname --fqdn
    node1.example.com
  2. On the Kerberos Key Distribution Center (KDC), run the kadmin command:
    kadmin -p user_name/admin
    addprinc -randkey dse_user/FQDN
    addprinc -randkey HTTP/FQDN
    quit

    where

    Parameter Description
    addprinc The add_principal command requires the add administrative privilege and creates the new principal.
    dse_user This value depends on the type of install:
    • Installer-Services and Package installations: usually cassandra
    • Package installations: the name of the UNIX user that starts the service
    FQDN The fully qualified domain name of the host where DataStax Enterprise is running.
    -randkey Sets the key of the principal to a random value.
    Example:
    kadmin -p parzival/admin
    addprinc -randkey cassandra/node1.example.com
    addprinc -randkey HTTP/node1.example.com
    addprinc -randkey cassandra/node2.example.com
    addprinc -randkey HTTP/node2.example.com
  3. Optional: Verify that the principals have been added by running the listprincs command within kadmin:
    $ listprincs
    HTTP/node1.example.com@EXAMPLE.COM
    HTTP/node2.example.com@EXAMPLE.COM
    cassandra/node1.example.com@EXAMPLE.COM
    cassandra/node2.example.com@EXAMPLE.COM
    kadmin/admin@EXAMPLE.COM
    where node*.example.com is the FQDN and EXAMPLE.COM is your Kerberos realm, which must be all uppercase.
  4. Create a keytab file for each node with the principals keys for that node:
    kadmin -p user_name/admin
    ktadd -k dse.keytab cassandra/FQDN
    ktadd -k dse.keytab HTTP/FQDN
    quit

    where ktadd -k creates or appends a keytab for the dse and HTTP principals.

    Example:
    kadmin -p parzival/admin
    ktadd -k /tmp/node1.keytab cassandra/node1.example.com
    ktadd -k /tmp/node1.keytab HTTP/node1.example.com
    ktadd -k /tmp/node2.keytab cassandra/node2.example.com
    ktadd -k /tmp/node2.keytab HTTP/node2.example.com
  5. Optional: Use the klist command to view your principals and keytabs:
    Node1:
    $ sudo klist -e -kt /var/tmp/dse.keytab
    
    Keytab name: FILE:/tmp/dse.keytab
    KVNO Timestamp        Principal
    ---- ---------------- ----------------------------------------------
    2    14/02/16 22:03   HTTP/node1FQDN@YOUR_REALM (des3-cbc-sha1)
    2    14/02/16 22:03   HTTP/node1FQDN@YOUR_REALM (arcfour-hmac)
    2    14/02/16 22:03   HTTP/node1FQDN@YOUR_REALM (des-hmac-sha1)
    2    14/02/16 22:03   HTTP/node1FQDN@YOUR_REALM (des-cbc-md5)
    2    14/02/16 22:03   cassandra/node1FQDN@YOUR_REALM (des3-cbc-sha1)
    2    14/02/16 22:03   cassandra/node1FQDN@YOUR_REALM (arcfour-hmac)
    2    14/02/16 22:03   cassandra/node1FQDN@YOUR_REALM (des-hmac-sha1)
    2    14/02/16 22:03   cassandra/node1FQDN@YOUR_REALM (des-cbc-md5)
    where: -e displays the encryption type and -kt displays the keytab file and its timestamp.
  6. Copy the node-specific keytab files from the KDC machine to the nodes:
    $ scp /tmp/node1.keytab dse_user@node1.FQDN:/etc/dse/
    $ scp /tmp/node2.keytab dse_user@node2.FQDN:/etc/dse/
    Example:
    $ scp /tmp/node1.keytab cassandra@node1.example.com:/etc/dse/
    $ scp /tmp/node2.keytab cassandra@node2.example.com:/etc/dse/
  7. On each node, change the name of the keytab file to dse.keytab.

    Make the file names identical across all the nodes to ensure that the entry in each node's dse.yaml is the same.

    Example:

    $ hostname --fqdn
    node1.example.com
    $ mv /etc/dse/node1.keytab /etc/dse/dse.keytab
  8. Change the permissions on dse.keytab so that only the dse_user user can read and write to the keytab file. For example:
    $ sudo chown cassandra:cassandra /etc/dse/dse.keytab
    $ sudo chmod 600 /etc/dse/dse.keytab
    The location of the dse.yaml file depends on the type of installation:
    Installer-Services /etc/dse/dse.yaml
    Package installations /etc/dse/dse.yaml
    Installer-No Services install_location/resources/dse/conf/dse.yaml
    Tarball installations install_location/resources/dse/conf/dse.yaml

What's next

Enabling DataStax Enterprise for Kerberos authentication