1.5. Creating Hadoop Service Principals and Keytabs

Each service in HDP must have its own principal. A principal name in a given realm is comprised of the primary and an instance (for example, primary/instance@REALM). Because services do not login with a password to acquire Kerberos tickets, the principal authentication key is stored in a keytab file. This keytab file is generated from the Kerberos database and stored locally on the service component host.

First you must create the principal, using mandatory naming conventions. Then you must create the keytab file with that principal's information and copy the file to the keytab directory on the appropriate service host.

Note

	Note
Principals can be created either on the KDC machine itself or through the network, using a previously created “admin” principal. The following instructions assume you are using the KDC machine and using the `kadmin.local` command line administration utility. Using `kadmin.local` on the KDC machine allows you to create principals without needing to create a separate "admin" principal before you start.

Principals can be created either on the KDC machine itself or through the network, using a previously created “admin” principal. The following instructions assume you are using the KDC machine and using the kadmin.local command line administration utility. Using kadmin.local on the KDC machine allows you to create principals without needing to create a separate "admin" principal before you start.

Open the kadmin.local utility on the KDC machine
```
/usr/sbin/kadmin.local
```

Create a service principal using the kadmin utility:

kadmin: addprinc -randkey $principal_name/$fully.qualified.domain.name@YOUR-REALM.COM

You must have a principal with administrative permissions to use this command. The randkey is used to generate the password.

Note that in the example each service principal's name has appended to it the fully qualified domain name of the host on which it is running. This ensures that each service has a unique principal name.

The addition of the hostname serves to distinguish, for example, a request from DataNode A from a request from DataNode B. This is important for two reasons:

If the Kerberos credentials for one DataNode are compromised, it does not automatically lead to all DataNodes being compromised
If multiple DataNodes have exactly the same principal and are simultaneously connecting to the NameNode, and if the Kerberos authenticator being sent happens to have same timestamp, then the authentication would be rejected as a replay request.

The $principal_name part of the name must match the values in the table below:

Note that the NameNode, Secondary NameNode, and Oozie require two principals each.

Table 15.2. Service Principal Names

Service Name	Component	Mandatory Principal Name
HDFS	NameNode	`nn/$FQDN`
HDFS	NameNode HTTP	`HTTP/$FQDN`
HDFS	Secondary NameNode	`nn/$FQDN`
HDFS	Secondary NameNode HTTP	`HTTP/$FQDN`
HDFS	DataNode	`dn/$FQDN`
MapReduce	JobTracker	`jt/$FQDN`
MapReduce	TaskTracker	`tt/$FQDN`
HBase	MasterServer	`hbase/$FQDN`
HBase	RegionServer	`hbase/$FQDN`
ZooKeeper	ZooKeeper	`zookeeper/$FQDN`
Hive	Hive Metastore HiveServer2	`hive/$FQDN`
Hive	WebHCat	`HTTP/$FQDN`
Oozie	Oozie Server	`oozie/$FQDN`
Oozie	Oozie HTTP	`HTTP/$FQDN`
Hue		`hue`

For example: To create the principal for a DataNode service, execute the following command:

kadmin: addprinc -randkey dn/$DataNode_Host_FQDN@EXAMPLE.COM

After the principals are created in the database, extract related keytab files for transfer to the appropriate host:

For RHEL/CentOS 5.x:

kadmin: xst -k $keytab_file_name $principal_name/fully.qualified.domain.name

For RHEL/CentOS 6.x:

kadmin: xst -norandkey -k $keytab_file_name $principal_name/fully.qualified.domain.name

For SLES:

kadmin: xst -norandkey -k $keytab_file_name $principal_name/fully.qualified.domain.name

You must use the mandatory names for the $keytab_file_name variable as shown in this table.

Table 15.3. Service Keytab File Names

Component	Mandatory Principal Name	Mandatory Keytab File Name
NameNode	`nn/$FQDN`	`nn.service.keytab`
NameNode HTTP	`HTTP/$FQDN`	`spnego.service.keytab`
Secondary NameNode	`nn/$FQDN`	`nn.service.keytab`
Secondary NameNode HTTP	`HTTP/$FQDN`	`spnego.service.keytab`
DataNode	`dn/$FQDN`	`dn.service.keytab`
JobTracker	`jt/$FQDN`	`jt.service.keytab`
TaskTracker	`tt/$FQDN`	`tt.service.keytab`
HBase MasterServer	`hbase/$FQDN`	`hbase.service.keytab`
HBase RegionServer	`hbase/$FQDN`	`hbase.service.keytab`
ZooKeeper	`zookeeper/$FQDN`	`zk.service.keytab`
Hive Metastore HiveServer2	`hive/$FQDN`	`hive.service.keytab`
WebHCat	`HTTP/$FQDN`	`spnego.service.keytab`
Oozie Server	`oozie/$FQDN`	`oozie.service.keytab`
Oozie HTTP	`HTTP/$FQDN`	`spnego.service.keytab`
Hue	`hue`	`hue.service.keytab`

For example: To create the keytab files for the NameNode, issue these commands:

 kadmin: xst -k nn.service.keytab nn/<$NameNode_Host_FQDN> 
kadmin: xst -k spnego.service.keytab HTTP/<$NameNode_Host_FQDN>

When you have created the keytab files, copy them to the keytab directory of the respective service hosts.

When the keytab files have been created, on each host create a directory for them and set appropriate permissions.
```
mkdir -p /etc/security/keytabs/
chown root:$HADOOP_GROUP /etc/security/keytabs
chmod 750 /etc/security/keytabs 
```
where $HADOOP_GROUP is a common group shared by services. For example, hadoop.

Set appropriate permissions for the keytabs.

On the NameNode and Secondary NameNode hosts, execute the following command:

chown $HDFS_USER:$HADOOP_GROUP /etc/security/keytabs/nn.service.keytab
chmod 400 /etc/security/keytabs/nn.service.keytab
chown root:$HADOOP_GROUP /etc/security/keytabs/spnego.service.keytab
chmod 440 /etc/security/keytabs/spnego.service.keytab

Execute the following command on all the slave nodes (DataNodes).

chown $HDFS_USER:$HADOOP_GROUP /etc/security/keytabs/dn.service.keytab  
chmod 400 /etc/security/keytabs/*.service.keytab

On JobTracker:

chown $MAPRED_USER:$HADOOP_GROUP /etc/security/keytabs/jt.service.keytab 
chmod 400 /etc/security/keytabs/*.service.keytab

On all the slave nodes (TaskTrackers).

chown $MAPRED_USER:$HADOOP_GROUP /etc/security/keytabs/tt.service.keytab
chmod 400 /etc/security/keytabs/*.service.keytab

On HBase MasterServer, RegionServers, and ZooKeeper hosts:

chown $HBASE_USER:$HADOOP_GROUP /etc/security/keytabs/hbase.service.keytab 
chmod 400 /etc/security/keytabs/hbase.service.keytab
chown $ZOOKEEPER_USER:$HADOOP_GROUP /etc/security/keytabs/zk.service.keytab 
chmod 400 /etc/security/keytabs/zk.service.keytab

On the host that runs the Hive Metastore, HiveServer2 and WebHCat:

chown $HIVE_USER:$HADOOP_GROUP /etc/security/keytabs/hive.service.keytab 
chmod 400 /etc/security/keytabs/hive.service.keytab
chown root:$HADOOP_GROUP /etc/security/keytabs/spnego.service.keytab 
chmod 440 /etc/security/keytabs/spnego.service.keytab

On the Oozie server:

chown $OOZIE_USER:$HADOOP_GROUP /etc/security/keytabs/oozie.service.keytab 
chmod 400 /etc/security/keytabs/oozie.service.keytab
chown root:$HADOOP_GROUP /etc/security/keytabs/spnego.service.keytab
chmod 440 /etc/security/keytabs/spnego.service.keytab

On the Hue server:

chown hue:$HADOOP_GROUP /etc/security/hue.service.keytab
 chmod 600 /etc/security/hue.service.keytab

where

$HDFS_USER is the user owning the HDFS services. For example, hdfs.
$MAPRED_USER is the user owning the MapRed services. For example, mapred.
$HBASE_USER is the user owning the HBase services. For example, hbase.
$ZOOKEEPER_USER is the user owning the ZooKeeper services. For example, zookeeper.
$HIVE_USER is the user owning the Hive services. For example, hive.
$OOZIE_USER is the user owning the Oozie services. For example, oozie.
$HADOOP_GROUP is a common group shared by services. For example, hadoop.

Confirm that the correct keytab files and principals are associated with the correct service using the klist command. For example, on the NameNode:
```
klist –k -t /etc/security/nn.service.keytab
```
Do this on each respective service in your cluster.

Legal notices