This is the documentation for CDH 5.1.x. Documentation for other versions is available at Cloudera Documentation.

Appendix F - Using kadmin to Create Kerberos Keytab Files

If your version of Kerberos does not support the Kerberos -norandkey option in the xst command, or if you must use kadmin because you cannot use kadmin.local, then you can use the following procedure to create Kerberos keytab files. Using the -norandkey option when creating keytabs is optional and a convenience, but it is not required.

  Important:

For both MRv1 and YARN deployments: On every machine in your cluster, there must be a keytab file for the hdfs user and a keytab file for the mapred user. The hdfs keytab file must contain entries for the hdfs principal and an HTTP principal, and the mapred keytab file must contain entries for the mapred principal and an HTTP principal. On each respective machine, the HTTP principal will be the same in both keytab files.

In addition, for YARN deployments only: On every machine in your cluster, there must be a keytab file for the yarn user. The yarn keytab file must contain entries for the yarn principal and an HTTP principal. On each respective machine, the HTTP principal in the yarn keytab file will be the same as the HTTP principal in the hdfs and mapred keytab files.

For instructions, see To create the Kerberos keytab files.

  Note:

These instructions illustrate an example of creating keytab files for MIT Kerberos. If you are using another version of Kerberos, refer to your Kerberos documentation for instructions. You can use either kadmin or kadmin.local to run these commands.

To create the Kerberos keytab files

Do the following steps for every host in your cluster, replacing the fully.qualified.domain.name in the commands with the fully qualified domain name of each host:

  1. Create the hdfs keytab file, which contains an entry for the hdfs principal. This keytab file is used for the NameNode, Secondary NameNode, and DataNodes.
    $ kadmin
    kadmin:  xst -k hdfs-unmerged.keytab hdfs/fully.qualified.domain.name
  2. Create the mapred keytab file, which contains an entry for the mapred principal. If you are using MRv1, the mapred keytab file is used for the JobTracker and TaskTrackers. If you are using YARN, the mapred keytab file is used for the MapReduce Job History Server.
    kadmin:  xst -k mapred-unmerged.keytab mapred/fully.qualified.domain.name
  3. YARN only: Create the yarn keytab file, which contains an entry for the yarn principal. This keytab file is used for the ResourceManager and NodeManager.
    kadmin:  xst -k yarn-unmerged.keytab yarn/fully.qualified.domain.name
  4. Create the http keytab file, which contains an entry for the HTTP principal.
    kadmin:  xst -k http.keytab HTTP/fully.qualified.domain.name
  5. Use the ktutil command to merge the previously-created keytabs:
    $ ktutil
    ktutil:  rkt hdfs-unmerged.keytab
    ktutil:  rkt http.keytab
    ktutil:  wkt hdfs.keytab
    ktutil:  clear
    ktutil:  rkt mapred-unmerged.keytab
    ktutil:  rkt http.keytab
    ktutil:  wkt mapred.keytab
    ktutil:  clear
    ktutil:  rkt yarn-unmerged.keytab
    ktutil:  rkt http.keytab
    ktutil:  wkt yarn.keytab

    This procedure creates three new files: hdfs.keytab, mapred.keytab and yarn.keytab. These files contain entries for the hdfs and HTTP principals, the mapred and HTTP principals, and the yarn and HTTP principals respectively.

  6. Use klist to display the keytab file entries. For example, a correctly-created hdfs keytab file should look something like this:
    $ klist -e -k -t hdfs.keytab
    Keytab name: WRFILE:hdfs.keytab
    slot KVNO Principal
    ---- ---- ---------------------------------------------------------------------
       1    7    HTTP/fully.qualified.domain.name@YOUR-REALM.COM (DES cbc mode with CRC-32)
       2    7    HTTP/fully.qualified.domain.name@YOUR-REALM.COM (Triple DES cbc mode with HMAC/sha1)
       3    7    hdfs/fully.qualified.domain.name@YOUR-REALM.COM (DES cbc mode with CRC-32)
       4    7    hdfs/fully.qualified.domain.name@YOUR-REALM.COM (Triple DES cbc mode with HMAC/sha1)
  7. To verify that you have performed the merge procedure correctly, make sure you can obtain credentials as both the hdfs and HTTP principals using the single merged keytab:
    $ kinit -k -t hdfs.keytab hdfs/fully.qualified.domain.name@YOUR-REALM.COM
    $ kinit -k -t hdfs.keytab HTTP/fully.qualified.domain.name@YOUR-REALM.COM

    If either of these commands fails with an error message such as "kinit: Key table entry not found while getting initial credentials", then something has gone wrong during the merge procedure. Go back to step 1 of this document and verify that you performed all the steps correctly.

  8. To continue the procedure of configuring Hadoop security in CDH 5, follow the instructions in the section To deploy the Kerberos keytab files.
Page generated September 3, 2015.