Retrieving keytabs for workload users

A keytab file stores long-term keys for a principal in Kerberos. You can generate a keytab either through the Cloudera Management Console user interface or the CDP CLI.

Required roles: All users can retrieve their keytabs from the account management page. All users can retrieve their keytabs from CDP CLI, but this action requires an API access key, which can only be generated by users with the IAMUser role. As a Cloudera administrator or PowerUser, you can retrieve the keytab for all user accounts.

You may need to generate a keytab for a workload user in certain Cloudera Data Hub use cases, for example long-running Spark streaming jobs, which require a keytab as a long-lived credential; or NiFi flows requiring a keytab to write data into HBase.
You can retrieve a keytab either in the Cloudera Management Console or in the CDP CLI:
  • Cloudera Management Console:
    1. Click User Management > Users and then search for and select the Name of the user that you want to get a keytab for.
    2. Click Actions > Get Keytab.
    3. Select the environment in which the Cloudera Data Hub cluster is running and then click Download.
    4. Save the keytab file in a location of your choice.

      Once you have downloaded the keytab file, you can copy it to the machine on which the cluster runs and use the keytab to authenticate as the workload user principal, or point to the keytab file when running a Spark job or other job that requires a keytab.

  • CDP CLI:
    1. Keytab retrieval (get-keytab) is within the environments module. Run cdp environments get-keytab help for more information. You will need to pass the environment name and an actor CRN:
      cdp environments get-keytab \
      --environment-name=EnvironmentName \
      --actor-crn=ActorCrn
    2. The output of the command is a base64-encoded representation of a keytab. The contents of the output must be base64 decoded and saved to a file for it to work as a keytab.