3. Creating Kerberos Principals And Keytab Files

A Kerberos principal is a unique identity to which Kerberos can assign tickets. (See: Kerberos V5 UNIX User's Guide (MIT)) All machines hosting a Kerberos-using service need a keytab file, called /etc/krb5.keytab, to authenticate to the KDC. The keytab file is an encrypted, local, on-disk copy of the host's key. On a UNIX system, you can view the contents of a keytab file using klist -k command. (See: Kerberos V5 UNIX User's Guide (MIT))

Kerberos defines two different types of accounts (or Principals) as listed below:

  • User Principal Name

  • Service Principal Name (Example: HTTP/$fully.qualified.domain.name@EXAMPLE.COM)

Hortonworks Data Platform (HDP) requires each of the Hadoop service (NameNode, Secondary NameNode, JobTracker, HBase Master, HCatalog Server, DataNodes, TaskTracker, and HBase RegionServers) to have its own keytab file.

The keytab files for all the services must have the service user principal and these principals must follow the mandatory naming conventions. (For example: For MapReduce, the service user principal will be mapred.)

[Note]Note

The keytab files must have the following three principals for NameNode and Secondary NameNode services only:

  • HDFS principal (nn)

  • HTTP principal

The following sections provide more information on creating Kerberos principals and keytab files:


loading table of contents...