Storm requires a principal and keytab when using Kerberos for authentication. A principal name in a given realm consists of a primary name and an instance name, the FQDN of the host that runs the service, in this case Storm. As services do not log in with a password to acquire their tickets, the authentication credentials for the service principal are stored in a keytab file, which is extracted from the Kerberos database and stored locally with the service principal on the service component host. First, create the principal using mandatory naming conventions. Then, create the keytab file with information from the new principal and copy the keytab to the keytab directory on the appropriate Storm host.
Note | |
---|---|
Principals can be created either on the Kerberos Key Distribution Center (KDC) host or over the network using an “admin” principal. The following instructions assume you are using the KDC machine and using the kadmin.local command line administration utility. Using kadmin.local on the KDC machine allows you to create principals without needing to create a separate "admin" principal before you start. |
Perform the following procedure on the host that runs KDC.
Execute the following command to start the kadmin.local utility:
/usr/sbin/kadmin.local
Execute the following command to create a principal for Zookeeper:
sudo kadmin.local -q 'addprinc zookeeper/<ZOOKEEPER_HOSTNAME>@STORM.EXAMPLE.COM'
Execute the following command to create a keytab for Zookeeper:
sudo kadmin.local -q "ktadd -k /tmp/zk.keytab zookeeper/<ZOOKEEPER_HOSTNAME>@STORM.EXAMPLE.COM"
Copy the keytab to all Zookeeper nodes in the cluster.
Note Verify that only the zookeeper and storm operating system users can access the Zookeeper keytab.
Execute the following command to create a principal for the Nimbus server and the Storm DRPC daemon:
sudo kadmin.local -q 'addprinc storm/ STORM_HOSTNAME>@STORM.EXAMPLE.COM'
Execute the following command to create a keytab for the Nimbus server and the Storm DRPC daemon:
sudo kadmin.local -q "ktadd -k /tmp/storm.keytab storm/ STORM_HOSTNAME>@STORM.EXAMPLE.COM"
Copy the keytab to the Nimbus node and the node that runs the Storm DRPC daemon.
Execute the following command to create a principal for the Storm UI daemon, the Storm Logviewer daemon, and the nodes running the process controller, such as Supervisor. A process controller is used to start and stop the Storm daemons.
sudo kadmin.local -q 'addprinc storm@STORM.EXAMPLE.COM'
Execute the following command to create a keytab for the Storm UI daemon, the Storm Logviewer daemon, and Supervisor.
sudo kadmin.local -q "ktadd -k /tmp/storm.keytab storm@STORM.EXAMPLE.COM"
Copy the keytab to the cluster nodes running the Storm UI daemon, the Storm Logviewer daemon, and Supervisor.