Add Kerberos principals for the DSE services on each node in your
cluster.
Add Kerberos principals for each node's Cassandra service and an additional principal
for HTTP communication.
On the Kerberos Domain Controller (KDC), add the principals from each node using the
kadmin command.
Prerequisites
You must have:
- An existing Kerberos domain set up.
- An existing KDC running.
- Admin rights to the KDC.
- Installed and verified the software as described in Setting up your environment.
Procedure
-
On each node, note the fully qualified domain name (FQDN) of the machine.
$ hostname --fqdn
node1.example.com
-
On the KDC, run the kadmin command and then enter the
Cassandra and HTTP users for each node, using the FQDN of each machine, to the
domain using the addprinc command within
kadmin.
In this example of a 3-node cluster, the default Cassandra username of
cassandra
is used. The Kerberos domain name is
EXAMPLE.COM
$ kadmin
addprinc -randkey cassandra/node1.example.com
addprinc -randkey HTTP/node1.example.com
addprinc -randkey cassandra/node2.example.com
addprinc -randkey HTTP/node2.example.com
addprinc -randkey cassandra/node3.example.com
addprinc -randkey HTTP/node3.example.com
To verify that the principals have been added, run the
listprincs command within
kadmin:
listprincs
HTTP/node1.example.com@EXAMPLE.COM
HTTP/node2.example.com@EXAMPLE.COM
HTTP/node3.example.com@EXAMPLE.COM
cassandra/node1.example.com@EXAMPLE.COM
cassandra/node2.example.com@EXAMPLE.COM
cassandra/node3.example.com@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
-
Create a keytab file for each node, with the principals keys for that node,
using the ktadd command in kadmin.
The keytab file is used to store Kerberos principal keys. You must create the
keytab file during the same kadmin session in which you
created the service principals.
ktadd -k /tmp/node1.keytab cassandra/node1.example.com
ktadd -k /tmp/node1.keytab HTTP/node1.example.com
ktadd -k /tmp/node2.keytab cassandra/node2.example.com
ktadd -k /tmp/node2.keytab HTTP/node2.example.com
ktadd -k /tmp/node3.keytab cassandra/node3.example.com
ktadd -k /tmp/node3.keytab HTTP/node3.example.com
quit
-
Copy the node-specific keytab files from the KDC machine to the nodes.
$ scp /tmp/node1.keytab cassandra@node1.example.com:/etc/dse/
$ scp /tmp/node2.keytab cassandra@node2.example.com:/etc/dse/
$ scp /tmp/node3.keytab cassandra@node3.example.com:/etc/dse/
-
On each node, change the name of the keytab file to
dse.keytab.
Make the file names the same across all the nodes for consistency, and so
that the entry in each node's is
the same.
The location of the
dse.yaml file depends on the
type of installation:
Installer-Services |
/etc/dse/dse.yaml |
Package installations |
/etc/dse/dse.yaml |
Installer-No Services |
install_location/resources/dse/conf/dse.yaml |
Tarball installations |
install_location/resources/dse/conf/dse.yaml |
$ hostname --fqdn
node1.example.com
$ mv /etc/dse/node1.keytab /etc/dse/dse.keytab
-
Change the permissions on dse.keytab so that only the
cassandra
user can read and write to the keytab file.
$ sudo chown cassandra:cassandra /etc/dse/dse.keytab
$ sudo chmod 600 /etc/dse/dse.keytab