Kerberos Principals
Each user and service that needs to authenticate to Kerberos needs a
principal, an entity that uniquely identifies the user or
service in the context of possibly multiple Kerberos servers and related
subsystems. A principal includes up to three pieces of identifying
information, starting with the user or service name (called a
primary). Typically, the primary portion of the principal
consists of the user account name from the operating system, such as
jcarlos
for the user's Unix account or
hdfs
for the Linux account associated with the
service daemon on the host underlying cluster node.
Principals for users typically consist solely of the primary and the Kerberos realm name. The realm is a logical grouping of principals tied to the same Key Distribution Center (KDC) which is configured with many of the same properties, such as supported encryption algorithms. Large organizations may use realms as means of delegating administration to various groups or teams for specific sets of users or functions and distributing the authentication-processing tasks across multiple servers.
Standard practice is to use your organization's domain name as the Kerberos realm name (in all uppercase characters) to easily distinguish it as part of a Kerberos principal, as shown in this user principal pattern:
username@REALM.EXAMPLE.COM
The combination of the primary and the realm name can distinguish one
user from another. For example,
jcarlos@SOME-REALM.EXAMPLE.COM
and
jcarlos@ANOTHER-REALM.EXAMPLE.COM
may be unique
individuals within the same organization.
For service role instance identities, the primary is the Unix
account name used by Hadoop daemons (hdfs
,
mapred
, and so on) followed by
an instance name that identifies the specific host on which
the service runs. For example,
hdfs/hostname.fqdn.example.com@SOME-REALM.EXAMPLE.COM
is an example of the principal for an HDFS service instance. The forward
slash (/) separates the primary and the instance names using this basic
pattern:
service-name/hostname.fqdn.example.com@REALM.EXAMPLE.COMThe HTTP principal needed for Hadoop web service interfaces does not have a Unix local account for its primary but rather is
HTTP
.An instance name can also identify users with special roles, such as
administrators. For example, the principal
jcarlos@SOME-REALM.COM
and the principal
jcarlos/admin@SOME-REALM.COM
each have their own
passwords and privileges, and they may or may not be the same
individual.
hdfs/hostname.fqdn.example.com@OAKLAND.EXAMPLE.COMGenerally, the service name is the Unix account name used by the given service role instance, such as
hdfs
or mapred
, as shown above. The
HTTP principal for securing web authentication to Hadoop service web
interfaces has no Unix account, so the primary for the principal is
HTTP
.