Adding Kerberos service principals for each node in a cluster 

Steps for adding Kerberos principals.

Prerequisites

  • Installed and verified the software as described in Setting up your environment.
  • An existing Kerberos domain.
  • An existing KDC is running.
  • Admin rights to the KDC.

Procedure

  1. On each node, note the fully qualified domain name (FQDN) of the machine:
    $ hostname --fqdn
    node1.example.com
  2. On the Kerberos Key Distribution Center (KDC), run the kadmin command:
    kadmin -p admin_user/admin
    addprinc -randkey dse/FQDN
    addprinc -randkey HTTP/FQDN
    quit

    where

    Parameter Description
    addprinc The add_principal command requires the add administrative privilege and creates the new principal.
    dse The service name is dse.
    FQDN The fully qualified domain name of the host where DataStax Enterprise is running.
    -randkey Sets the key of the principal to a random value.
    Example:
    kadmin -p admin_user/admin
    addprinc -randkey dse/node1.example.com
    addprinc -randkey HTTP/node1.example.com
    addprinc -randkey dse/node2.example.com
    addprinc -randkey HTTP/node2.example.com
  3. Optional: Verify that the principals have been added by running the listprincs command within kadmin:
    $ listprincs
    HTTP/node1.example.com@EXAMPLE.COM
    HTTP/node2.example.com@EXAMPLE.COM
    dse/node1.example.com@EXAMPLE.COM
    dse/node2.example.com@EXAMPLE.COM
    kadmin/admin@EXAMPLE.COM
    where node*.example.com is the FQDN and EXAMPLE.COM is your Kerberos realm, which must be all uppercase.
  4. Create a keytab file for each node with the principals keys for that node:
    kadmin -p admin_user/admin
    ktadd -k dse.keytab dse/FQDN
    ktadd -k dse.keytab HTTP/FQDN
    quit

    where ktadd -k creates or appends a keytab for the dse and HTTP principals.

    Example:
    kadmin -p admin_user/admin
    ktadd -k /tmp/node1.keytab dse/node1.example.com
    ktadd -k /tmp/node1.keytab HTTP/node1.example.com
    ktadd -k /tmp/node2.keytab dse/node2.example.com
    ktadd -k /tmp/node2.keytab HTTP/node2.example.com
  5. Optional: Use the klist command to view your principals and keytabs:
    Node1:
    $ sudo klist -e -kt /var/tmp/dse.keytab
    
    Keytab name: FILE:/tmp/dse.keytab
    KVNO Timestamp        Principal
    ---- ---------------- ----------------------------------------------
    2    14/02/16 22:03   HTTP/node1FQDN@YOUR_REALM (des3-cbc-sha1)
    2    14/02/16 22:03   HTTP/node1FQDN@YOUR_REALM (arcfour-hmac)
    2    14/02/16 22:03   HTTP/node1FQDN@YOUR_REALM (des-hmac-sha1)
    2    14/02/16 22:03   HTTP/node1FQDN@YOUR_REALM (des-cbc-md5)
    2    14/02/16 22:03   dse/node1FQDN@YOUR_REALM (des3-cbc-sha1)
    2    14/02/16 22:03   dse/node1FQDN@YOUR_REALM (arcfour-hmac)
    2    14/02/16 22:03   dse/node1FQDN@YOUR_REALM (des-hmac-sha1)
    2    14/02/16 22:03   dse/node1FQDN@YOUR_REALM (des-cbc-md5)
    where: -e displays the encryption type and -kt displays the keytab file and its timestamp.
  6. Copy the node-specific keytab files from the KDC machine to the nodes:
    $ scp /tmp/node1.keytab dse@node1.FQDN:/etc/dse/
    $ scp /tmp/node2.keytab dse@node2.FQDN:/etc/dse/
  7. On each node, change the name of the keytab file to dse.keytab.

    Make the file names identical across all the nodes to ensure that the entry in each node's dse.yaml is the same.

    Example:

    $ hostname --fqdn
    node1.example.com
    $ mv /etc/dse/node1.keytab /etc/dse/dse.keytab
  8. Change the permissions on dse.keytab so that only the dse_user user can read and write to the keytab file. For example:
    $ sudo chown cassandra:cassandra /etc/dse/dse.keytab
    $ sudo chmod 600 /etc/dse/dse.keytab
    The location of the dse.yaml file depends on the type of installation:
    Installer-Services /etc/dse/dse.yaml
    Package installations /etc/dse/dse.yaml
    Installer-No Services install_location/resources/dse/conf/dse.yaml
    Tarball installations install_location/resources/dse/conf/dse.yaml
  9. To use a Kerberos non-default REALM with Hadoop, you must specify mapping rules to map the Kerberos principal to the local UNIX user name. Add this configuration key to the resources/hadoop/conf/dse-core.xml file:
    <property>
        <name>hadoop.security.auth_to_local</name>
          <value>
          RULE:[1:$1](.*)s/.*/\${username}/
          DEFAULT
          </value>
      </property>
    The default location of the dse-core.xml Hadoop configuration file depends on the type of installation:
    Installer-Services and Package installations /etc/dse/hadoop/conf
    Installer-No Services and Tarball installations install_location/resources/hadoop/conf/

What's next

Enabling DataStax Enterprise for Kerberos authentication