Before we get started with configuring Kerberos for Apache Hadoop, we need to set up the KDC and the different nodes on the cluster with the required packages.
KDC is the Kerberos server and should be the first step in configuring Kerberos on the cluster. The following are the steps to install the server packages:
- Choose a node on the cluster that you would want to set up as the KDC. Ideally, this node should be used exclusively for the KDC; however, for this demonstration, I am using
node1.hclusterfor the KDC. - Install the
krb5-libs,krb5-server, andkrb5-workstationpackages on the KDC node. Use the following commands as therootuser to install the packages:$ yum install krb5-libs $ yum install krb5-server $ yum install krb5-workstation
- Update the
krb5.conffile in the/etc/folder from therootuser as shown in the following code:[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MYREALM.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] MYREALM.COM = { kdc = node1.hcluster admin_server = node1.hcluster } [domain_realm] .hcluster = MYREALM.COM hcluster = MYREALM.COMFor our configuration, we are using
MYREALM.COMas our realm. In this configuration,node1.hclusteris the KDC. - Next, update the
kdc.conffiles in the/var/kerberos/krb5kdc/folder from therootuser as shown in the following code:[kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 [realms] MYREALM.COM = { master_key_type = aes256-cts acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal } - Next, we need to get the Java Cryptography Extension policy files from Oracle. These files are needed for our configuration as we are using the AES256-CTS type of cryptography for authentication. These policy files are not part of the Java Runtime Environment (JRE) by default and need to be explicitly downloaded. The policy files can be downloaded from http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html.
- After downloading the
UnlimitedJCEPolicyJDK7.zipfile, unzip the file to get the following two files:local_policy.jarUs_export_policy.jar
- On installing Cloudera Manager, Java was installed in
/usr/java/jdk1.7.0_45-cloudera/. Place the extracted files as therootuser under the/usr/java/jdk1.7.0_45-cloudera/jre/lib/security/directory on all the machines that are part of the cluster. The JDK folder may be different for your installation, so please verify the path before placing the files. You may be prompted to overwrite the existing files. You should choose yes to overwrite the files. - Next, we need to set up the database for the KDC. Use
kdb5_util create -scommand as therootuser as shown in the following screenshot: - Next, update the
kadm5.aclfile in the/var/kerberos/krb5kdc/folder from therootuser as follows: - Create the first principal for the
rootuser asrootuser usingkadmin.local -q "addprinc root/admin"command as shown in the following screenshot: - Start the KDC services using the following commands as the
rootuser:$ service krb5kdc start $ service kadmin start
The previously mentioned steps should install all the required packages and start the services for KDC.
It is a good practice to test the KDC server after installation using the following steps:
- From the machine hosting the KDC service, run the following command to get the ticket granting ticket for the
rootuser:$ kinit root/[email protected] - Verify the existence of the ticket granting ticket (TGT) using the
klistcommand as shown in the following screenshot:
After configuring the server, we need to set up the clients to work with Kerberos. Following are the steps to install the client packages on all the nodes of the cluster:
- Install the
krb5-libsandkrb5-workstationpackages on all the client nodes as arootuser using the following commands:$ yum install krb5-libs $ yum install krb5-workstation
- Copy
/etc/krb5.conffrom the KDC server as therootuser to all the client nodes on the cluster.
The client nodes are now configured to work with Kerberos.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.