Each service in HDP must have its own principal. As services do not login with a password to acquire their tickets, their principal's authentication credentials are stored in a keytab file, which is extracted from the Kerberos database and stored locally with the service principal.
First you must create the principal, using mandatory naming conventions. Then you must create the keytab file with that principal's information and copy the file to the keytab directory on the appropriate service host.
Step 1: Create a service principal using the
kadmin
utility:
kadmin: addprinc -randkey $principal_name/$service-host-FQDN@$hadoop.realm
You
must have a principal with administrative permissions to use this command. The
randkey
is used to generate the password.
Note | |
---|---|
In the example each service principal's name has appended to it the fully qualified domain name of the host on which it is running. This is to provide a unique principal name for services that run on multiple hosts, like DataNodes and TaskTrackers. The addition of the hostname serves to distinguish, for example, a request from DataNode A from a request from DataNode B. This is important for two reasons:
|
The <principal name> part of the name must match the values in the table below.
Note | |
---|---|
The NameNode, Secondary NameNode, and Oozie require two principals each. |
Note | |
---|---|
If you are configuring High Availability (HA) for a Quorom-based NameNode, you must also
generate a principle ( |
Table 23.1. Service Principals
Service | Component | Mandatory Principal Name |
---|---|---|
HDFS | NameNode |
|
HDFS | NameNode HTTP |
|
HDFS | SecondaryNameNode | nn /$FQDN |
HDFS | SecondaryNameNode HTTP | HTTP /$FQDN |
HDFS | DataNode |
|
MR2 | History Server | jhs /$FQDN |
MR2 | History Server HTTP | HTTP /$FQDN |
YARN | ResourceManager | rm /$FQDN |
YARN | NodeManager | nm /$FQDN |
Oozie | Oozie Server |
|
Oozie | Oozie HTTP |
|
Hive |
Hive Metastore HiveServer2 |
|
Hive | WebHCat |
|
HBase | MasterServer |
|
HBase | RegionServer |
|
ZooKeeper | ZooKeeper |
|
Nagios Server | Nagios | nagios /$FQDN |
JournalNode Server[a] | JournalNode | jn /$FQDN |
Gateway | Knox | knox /$FQDN |
[a] Only required if you are setting up NameNode HA. |
For example: To create the principal for a DataNode service, issue this command:
kadmin: addprinc -randkey dn/$datanode-host@$hadoop.realm
Step 2: Extract the related keytab file and place
it in the keytab directory (by default /etc/krb5.keytab
) of the
appropriate respective
components:
kadmin: xst -k $keytab_file_name $principal_name/fully.qualified.domain.name
You must use the mandatory names for the
$keytab_file_name
variable shown in this
table.
Table 23.2. Service Keytab File Names
Component | Principal Name | Mandatory Keytab File Name |
---|---|---|
NameNode | nn /$FQDN | nn.service.keytab
|
NameNode HTTP | HTTP /$FQDN | spnego.service.keytab |
SecondaryNameNode | nn /$FQDN |
nn.service.keytab
|
SecondaryNameNode HTTP | HTTP /$FQDN | spnego.service.keytab |
DataNode | dn /$FQDN | dn.service.keytab |
MR2 History Server | jhs /$FQDN | nm.service.keytab |
MR2 History Server HTTP | HTTP /$FQDN | spnego.service.keytab |
YARN | rm /$FQDN |
|
YARN | nm /$FQDN |
|
Oozie Server | oozie /$FQDN | oozie.service.keytab |
Oozie HTTP | HTTP /$FQDN | spnego.service.keytab |
Hive Metastore HiveServer2 | hive /$FQDN |
|
WebHCat | HTTP /$FQDN | spnego.service.keytab |
HBase Master Server | hbase /$FQDN |
|
HBase RegionServer | hbase /$FQDN |
|
ZooKeeper | zookeeper /$FQDN |
|
Nagios Server | nagios /$FQDN | nagios.service.keytab |
Journal Server[a] | jn /$FQDN | jn.service.keytab |
Knox Gateway[b] | knox/$FQDN | knox.service.keytab |
[a] Only required if you are setting up NameNode HA. [b] Only required if you are using a Knox Gateway. |
For example: To create the keytab files for the NameNode, issue these commands:
kadmin: xst -k nn.service.keytab nn/$namenode-host kadmin: xst -k spnego.service.keytab HTTP/$namenode-host
When
you have created the keytab files, copy them to the keytab
directory of the respective service hosts.
Step 3: Verify that the correct keytab files and
principals are associated with the correct service using the
klist
command. For example, on the
NameNode:
klist –k -t /etc/security/nn.service.keytab
Do this on each respective service in your cluster.