Appendix F - Using kadmin to Create Kerberos Keytab Files
If your version of Kerberos does not support the Kerberos -norandkey option in the xst command, or if you must use kadmin because you cannot use kadmin.local, then you can use the following procedure to create Kerberos keytab files. Using the -norandkey option when creating keytabs is optional and a convenience, but it is not required.
For both MRv1 and YARN deployments: On every machine in your cluster, there must be a keytab file for the hdfs user and a keytab file for the mapred user. The hdfs keytab file must contain entries for the hdfs principal and an HTTP principal, and the mapred keytab file must contain entries for the mapred principal and an HTTP principal. On each respective machine, the HTTP principal will be the same in both keytab files.
In addition, for YARN deployments only: On every machine in your cluster, there must be a keytab file for the yarn user. The yarn keytab file must contain entries for the yarn principal and an HTTP principal. On each respective machine, the HTTP principal in the yarn keytab file will be the same as the HTTP principal in the hdfs and mapred keytab files.
For instructions, see To create the Kerberos keytab files.
These instructions illustrate an example of creating keytab files for MIT Kerberos. If you are using another version of Kerberos, refer to your Kerberos documentation for instructions. You can use either kadmin or kadmin.local to run these commands.
To create the Kerberos keytab files
Do the following steps for every host in your cluster, replacing the fully.qualified.domain.name in the commands with the fully qualified domain name of each host:
- Create the hdfs
keytab file, which contains an entry for the hdfs principal. This keytab file is used for the NameNode, Secondary NameNode,
and DataNodes.
$ kadmin kadmin: xst -k hdfs-unmerged.keytab hdfs/fully.qualified.domain.name
- Create the mapred
keytab file, which contains an entry for the mapred principal. If you are using MRv1, the mapred keytab file is used for the JobTracker
and TaskTrackers. If you are using YARN, the mapred keytab file is used for the MapReduce Job History Server.
kadmin: xst -k mapred-unmerged.keytab mapred/fully.qualified.domain.name
- YARN only: Create the yarn keytab file, which contains an entry for
the yarn principal. This keytab file is
used for the ResourceManager and NodeManager.
kadmin: xst -k yarn-unmerged.keytab yarn/fully.qualified.domain.name
- Create the http
keytab file, which contains an entry for the HTTP principal.
kadmin: xst -k http.keytab HTTP/fully.qualified.domain.name
- Use the ktutil
command to merge the previously-created keytabs:
$ ktutil ktutil: rkt hdfs-unmerged.keytab ktutil: rkt http.keytab ktutil: wkt hdfs.keytab ktutil: clear ktutil: rkt mapred-unmerged.keytab ktutil: rkt http.keytab ktutil: wkt mapred.keytab ktutil: clear ktutil: rkt yarn-unmerged.keytab ktutil: rkt http.keytab ktutil: wkt yarn.keytab
This procedure creates three new files: hdfs.keytab, mapred.keytab and yarn.keytab. These files contain entries for the hdfs and HTTP principals, the mapred and HTTP principals, and the yarn and HTTP principals respectively.
- Use klist to
display the keytab file entries. For example, a correctly-created hdfs keytab file should look something like
this:
$ klist -e -k -t hdfs.keytab Keytab name: WRFILE:hdfs.keytab slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 7 HTTP/fully.qualified.domain.name@YOUR-REALM.COM (DES cbc mode with CRC-32) 2 7 HTTP/fully.qualified.domain.name@YOUR-REALM.COM (Triple DES cbc mode with HMAC/sha1) 3 7 hdfs/fully.qualified.domain.name@YOUR-REALM.COM (DES cbc mode with CRC-32) 4 7 hdfs/fully.qualified.domain.name@YOUR-REALM.COM (Triple DES cbc mode with HMAC/sha1)
- To verify that you have performed the merge procedure correctly,
make sure you can obtain credentials as both the hdfs and HTTP principals
using the single merged keytab:
$ kinit -k -t hdfs.keytab hdfs/fully.qualified.domain.name@YOUR-REALM.COM $ kinit -k -t hdfs.keytab HTTP/fully.qualified.domain.name@YOUR-REALM.COM
If either of these commands fails with an error message such as "kinit: Key table entry not found while getting initial credentials", then something has gone wrong during the merge procedure. Go back to step 1 of this document and verify that you performed all the steps correctly.
- To continue the procedure of configuring Hadoop security in CDH 5, follow the instructions in the section To deploy the Kerberos keytab files.
<< YARN ONLY: Container-executor Error Codes | Appendix G - Setting Up a Gateway Node to Restrict Access >> | |