Uploading and unlocking your keytab in SSB

After setting Kerberos or Knox authentication for SSB, you need to unlock the user specific keytabs on the Streaming SQL Console by providing your keytab passowrd or uploading the keytab file.

The following message is displayed on the Console in case the keytabs are still locked:
  • Before unlocking the keytab, you need to authenticate your username.
  1. Navigate to the Streaming SQL Console.
    1. Go to your cluster in Cloudera Manager.
    2. Select SQL Stream Builder from the list of services.
    3. Click SQLStreamBuilder Console.
    The Streaming SQL Console opens in a new window.
  2. Click your username at the right top corner of the Streaming SQL Console.
  3. Click Manage keytab.
    You are redirected to the Keytab Manager page.
    You can either unlock the keytab already existing on the cluster, or you can directly upload your keytab file in the SQL Stream Builder.
  4. Provide your password to the Keytab Password field to unlock your keytab.
  5. Click Unlock Keytab.
  6. Click Choose file to upload your keytab file.
  7. Search and select your keytab file.
  8. Click Upload Keytab.
  9. Click Unlock Keytab.
    In case there is an error when unlocking your keytab, you can get more information about the issue with the following steps:
    1. Manually upload your keytab to the Streaming Analytics cluster:
      scp <location>/<your_keytab_file> <workload_username>@<manager_node_FQDN>:.
                          Password:<your_workload_password>
    2. Access the manager node of your Streaming Analytics cluster:
      ssh <workload_username>@<manager_node_FQDN>
                              Password: <workload_password>
    3. Use kinit command to authenticate your user:
      kinit -kt <keytab_filename>.keytab <workload_username>
    4. Use the flink-yarn-session command to see if the authentication works properly:
      flink-yarn-session -d \ 
      -D security.kerberos.login.keytab=<keytab_filename>.keytab \ 
      -D security.kerberos.login.principal=<workload_username>
    In case the command fails, you can review the log file for further information about the issue.