Before we get started with configuring Kerberos for Apache Hadoop, we need to set up the KDC and the different nodes on the cluster with the required packages.
KDC is the Kerberos server and should be the first step in configuring Kerberos on the cluster. The following are the steps to install the server packages:
node1.hcluster
for the KDC.krb5-libs
, krb5-server
, and krb5-workstation
packages on the KDC node. Use the following commands as the root
user to install the packages:$ yum install krb5-libs $ yum install krb5-server $ yum install krb5-workstation
krb5.conf
file in the /etc/
folder from the root
user as shown in the following code:[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MYREALM.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] MYREALM.COM = { kdc = node1.hcluster admin_server = node1.hcluster } [domain_realm] .hcluster = MYREALM.COM hcluster = MYREALM.COM
For our configuration, we are using MYREALM.COM
as our realm. In this configuration, node1.hcluster
is the KDC.
kdc.conf
files in the /var/kerberos/krb5kdc/
folder from the root
user as shown in the following code:[kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 [realms] MYREALM.COM = { master_key_type = aes256-cts acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal }
UnlimitedJCEPolicyJDK7.zip
file, unzip the file to get the following two files:local_policy.jar
Us_export_policy.jar
/usr/java/jdk1.7.0_45-cloudera/
. Place the extracted files as the root
user under the /usr/java/jdk1.7.0_45-cloudera/jre/lib/security/
directory on all the machines that are part of the cluster. The JDK folder may be different for your installation, so please verify the path before placing the files. You may be prompted to overwrite the existing files. You should choose yes to overwrite the files.kdb5_util create -s
command as the root
user as shown in the following screenshot:kadm5.acl
file in the /var/kerberos/krb5kdc/
folder from the root
user as follows:root
user as root
user using kadmin.local -q "addprinc root/admin"
command as shown in the following screenshot:root
user:$ service krb5kdc start $ service kadmin start
The previously mentioned steps should install all the required packages and start the services for KDC.
It is a good practice to test the KDC server after installation using the following steps:
root
user:$ kinit root/[email protected]
klist
command as shown in the following screenshot:After configuring the server, we need to set up the clients to work with Kerberos. Following are the steps to install the client packages on all the nodes of the cluster:
krb5-libs
and krb5-workstation
packages on all the client nodes as a root
user using the following commands:$ yum install krb5-libs $ yum install krb5-workstation
/etc/krb5.conf
from the KDC server as the root
user to all the client nodes on the cluster.The client nodes are now configured to work with Kerberos.
18.216.96.94