Configurations required to use load balancer with Kerberos enabled

Learn how to use load balancer in front of Schema Registry instances in an environment where Kerberos is enabled.

In this case, the clients connect to the load balancer, so they acquire a Kerberos ticket including the load balancer host. In the meantime, Schema Registry instances are logged in with their service principal including their FQDN. Because the load balancer host and the FQDN are probably not the same (if it is assumed that load balancer is not deployed to Schema Registry host), requests result in ticket mismatch to avoid man-in-the-middle attacks.

To ensure that requests forwarded by a load balancer are accepted, you need to do the following:

  1. Log into Cloudera Manager and go to the Schema Registry service.
  2. Set schema_registry_load_balancer_host to the host of the load balancer.
  3. Restart the Schema Registry service.

This generates a new principal HTTP/<loadbalancerhost>@REALM. Each Schema Registry instance not only logs in with its FQDN related service principal, but also logs in with the load balancer related one, so forwarded requests do not fail.