Adding Kerberos service principals for each node in a cluster

Add Kerberos principals for the DSE services on each node in your cluster.

Add Kerberos principals for each node's Cassandra service and an additional principal for HTTP communication.

On the Kerberos Domain Controller (KDC), add the principals from each node using the kadmin command.

Prerequisites

You must have:

  • An existing Kerberos domain set up.
  • An existing KDC running.
  • Admin rights to the KDC.
  • Installed and verified the software as described in Setting up your environment.

Procedure

  1. On each node, note the fully qualified domain name (FQDN) of the machine. 
    $ hostname --fqdn
    node1.example.com
  2. On the KDC, run the kadmin command and then enter the Cassandra and HTTP users for each node, using the FQDN of each machine, to the domain using the addprinc command within kadmin.

    In this example of a 3-node cluster, the default Cassandra username of cassandra is used. The Kerberos domain name is EXAMPLE.COM

    $ kadmin
addprinc -randkey cassandra/node1.example.com
addprinc -randkey HTTP/node1.example.com
addprinc -randkey cassandra/node2.example.com
addprinc -randkey HTTP/node2.example.com
addprinc -randkey cassandra/node3.example.com
addprinc -randkey HTTP/node3.example.com

    To verify that the principals have been added, run the listprincs command within kadmin:

    listprincs
HTTP/node1.example.com@EXAMPLE.COM
HTTP/node2.example.com@EXAMPLE.COM
HTTP/node3.example.com@EXAMPLE.COM
cassandra/node1.example.com@EXAMPLE.COM
cassandra/node2.example.com@EXAMPLE.COM
cassandra/node3.example.com@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
  3. Create a keytab file for each node, with the principals keys for that node, using the ktadd command in kadmin.

    The keytab file is used to store Kerberos principal keys. You must create the keytab file during the same kadmin session in which you created the service principals.

    ktadd -k /tmp/node1.keytab cassandra/node1.example.com
ktadd -k /tmp/node1.keytab HTTP/node1.example.com
ktadd -k /tmp/node2.keytab cassandra/node2.example.com
ktadd -k /tmp/node2.keytab HTTP/node2.example.com
ktadd -k /tmp/node3.keytab cassandra/node3.example.com
ktadd -k /tmp/node3.keytab HTTP/node3.example.com
quit
  4. Copy the node-specific keytab files from the KDC machine to the nodes. 
    $ scp /tmp/node1.keytab cassandra@node1.example.com:/etc/dse/
$ scp /tmp/node2.keytab cassandra@node2.example.com:/etc/dse/
$ scp /tmp/node3.keytab cassandra@node3.example.com:/etc/dse/
  5. On each node, change the name of the keytab file to dse.keytab.

    Make the file names the same across all the nodes for consistency, and so that the entry in each node's dse.yaml is the same.

    The location of the dse.yaml file depends on the type of installation:
    Installer-Services /etc/dse/dse.yaml
    Package installations /etc/dse/dse.yaml
    Installer-No Services install_location/resources/dse/conf/dse.yaml
    Tarball installations install_location/resources/dse/conf/dse.yaml 
    $ hostname --fqdn
node1.example.com
$ mv /etc/dse/node1.keytab /etc/dse/dse.keytab
  6. Change the permissions on dse.keytab so that only the cassandra user can read and write to the keytab file. 
    $ sudo chown cassandra:cassandra /etc/dse/dse.keytab
$ sudo chmod 600 /etc/dse/dse.keytab