Retrieve keytabs for workload users

A keytab file stores long-term keys for a principal in Kerberos. Retrieve your keytab for a specific environment.

You may need to generate a keytab for a workload user in certain Data Hub use cases, for example long-running Spark streaming jobs, which require a keytab as a long-lived credential; or NiFi flows requiring a keytab to write data into HBase.

Note that:
  • CDP users can retrieve their keytabs. A PowerUser can retrieve keytabs for other users.
  • Each time you reset your workload password, you must regenerate your keytab.
  • Keytabs are scoped to an environment, whereas workload passwords are the same for every environment. A keytab is, however, tied to the workload password. If you change the workload password, you must retrieve a new keytab. When you change a workload password, retrieve the keytab only after the user sync operation is complete.
  • There are ways to generate keytabs with utilities outside of CDP, such as ipa-getkeytab or ktutil. You should not use these methods as they may not work as expected. For example, ipa-getkeytabcreates a keytab that may work but only temporarily.

Required roles: All users can retrieve their keytabs from the account management page. All users can retrieve their keytabs from CDP CLI, but this action requires an API access key, which can only be generated by users with the IAMUser role. As a CDP administrator or PowerUser, you can retrieve the keytab for all user accounts.

Before you begin

In order to retrieve a keytab for an environment, you must set workload password for that environment. See Setting the workload password.

Retrieve your own keytab

Steps

  1. Log in to CDP web interface.
  2. Click on your user name in the bottom left corner and then select Profile.
  3. Click on Actions > Get keytab.
  4. In the pop-up window that appears, select the environment for which you would like to get the keytab.
  5. Click Download.
  6. Save the keytab file in a location of your choice.
To retrieve keytab for yourself, use the following command:
cdp environments get-keytab --environment-name <VALUE>

The output of the command is a base64-encoded representation of a keytab. The contents of the output must be base64 decoded and saved to a file for it to work as a keytab.

What to do next

Once you have downloaded the keytab file, you can copy it to the machine on which the cluster runs and use the keytab to authenticate as the workload user principal, or point to the keytab file when running a Spark job or other job that requires a keytab.

Retrieve keytab for another user or machine user (admin only)

Steps

  1. Log in to CDP web interface.
  2. Navigate to the Management Console > User Management, find and click on the user name of the user that you would like to retrieve a keytab for.
  3. Click on Actions > Get keytab.
  4. In the pop-up window that appears, select the environment for which you would like to get the keytab.
  5. Click Download.
  6. Save the keytab file in a location of your choice.
To retrieve keytab for another user or machine user, use the following command:
cdp environments get-keytab --environment-name <VALUE> --actor-crn <CRN>

The output of the command is a base64-encoded representation of a keytab. The contents of the output must be base64 decoded and saved to a file for it to work as a keytab.

What to do next

Once you have downloaded the keytab file, you can copy it to the machine on which the cluster runs and use the keytab to authenticate as the workload user principal, or point to the keytab file when running a Spark job or other job that requires a keytab.