Retrieve keytabs for workload users

A keytab file stores long-term keys for a principal in Kerberos. Retrieve your keytab for a specific environment.

You may need to generate a keytab for a workload user in certain Data Hub use cases, for example long-running Spark streaming jobs, which require a keytab as a long-lived credential; or NiFi flows requiring a keytab to write data into HBase.

Note that:
  • CDP users can retrieve their keytabs. A PowerUser can retrieve keytabs for other users.
  • Each time you reset your workload password, you must regenerate your keytab.
  • Keytabs are scoped to an environment, whereas workload passwords are the same for every environment. A keytab is, however, tied to the workload password. If you change the workload password, you must retrieve a new keytab. When you change a workload password, retrieve the keytab only after the user sync operation is complete.
  • There are ways to generate keytabs with utilities outside of CDP, such as ipa-getkeytab or ktutil. Cloudera recommends against using these methods as they may not work as expected. For example, ipa-getkeytabcreates a keytab that may work but only temporarily.

Before you begin

In order to retrieve a keytab for an environment, you must set workload password for that environment. See Setting the workload password.

Steps - CDP web interface

  1. Log in to CDP web interface.
  2. Do one of the following:
    • If you would like to retrieve your a keytab for yourself click on your name in the bottom left corner and then click on Profile.
    • If you would like to retrieve a keytab for another user, navigate to the Management Console > User Management, find and click on the user name of the user that you would like to retrieve a keytab for.
  3. Click on Actions > Get keytab.
  4. In the pop-up window that appears, select the environment for which you would like to get the keytab.
  5. Click Download.
  6. Save the keytab file in a location of your choice.

Steps - CDP CLI

To retrieve keytab for yourself, use the following command:
cdp environments get-keytab --environment-name <VALUE>
To retrieve keytab for another user or machine user, use the following command:
cdp environments get-keytab --environment-name <VALUE> --actor-crn <CRN>

The output of the command is a base64-encoded representation of a keytab. The contents of the output must be base64 decoded and saved to a file for it to work as a keytab.

What to do next

Once you have downloaded the keytab file, you can copy it to the machine on which the cluster runs and use the keytab to authenticate as the workload user principal, or point to the keytab file when running a Spark job or other job that requires a keytab.