Hortonworks ManualsHortonworks Data Platform

 

 4.2. Configure your existing KDC server

  1. Modify the realm property for krb5.conf and kdc.conf file.

    [Note]Note

    Ensure that the realm value in your krb5.conf file matches with the default value for realm property in your gsInstaller.properties file.

    Update the realm property in the kdc.conf file and copy this file to each node in your cluster.

  2. Create the principals for all services in your Hadoop cluster.

    • Execute the following command: 

      kadmin: addprinc -randkey $$principal_name/fully.qualified.domain.name@YOUR-REALM.COM

    • The $principal_name must use the following mandatory naming conventions:

      [Important]Important

      Upper case name in the FQDN part of the principals does not work with Kerberos. (JIRA: HADOOP-7988)

      Table 3.3. Secure deployment - Mandatory naming conventions for principals
      Service Name Principal Name (mandatory naming convention)
      NameNode nn and HTTP
      Secondary NameNode nn, HTTP
      JobTracker jt
      TaskTracker tt
      DataNode dn

      HBase Master

      		 hm

      HBase RegionServer

      		 rs
      Hive Metastore hive
      Oozie oozie
      Oozie HTTP
      WebHCat HTTP

  3. Set permissions for keytabs directory to 755.

    [Note]Note

    The location of the keytab directory is specified by the keytabdir property in the gsInstaller.properties file.

  4. Create keytab files for all services and assign required permissions. 

    kadmin: xst -norandkey -k $keytab_file_name $principal_name/fully.qualified.domain.name

    where, the $keytab_file_name uses the following mandatory naming conventions:

    Table 3.4. Secure deployment - Mandatory naming conventions for keytab files
    Service Name Keytab File Name Principal Name Permissions Owner
    NameNode nn.service.keytab nn 700 hdfs:hadoop
    NameNode spnego.service.keytab HTTP 700 hdfs:hadoop
    Secondary NameNode nn.service.keytab nn 700 hdfs:hadoop
    Secondary NameNode spnego.service.keytab HTTP 700 hdfs:hadoop
    JobTracker jt.service.keytab jt 700 mapred:hadoop
    TaskTracker tt.service.keytab tt 700 mapred:hadoop
    DataNode dn.service.keytab dn 700 hdfs:hadoop
    HBase Master hm.service.keytab hm 700 hbase:hadoop
    HBase RegionServer rs.service.keytab rs 700 hbase:hadoop
    Hive Metastore hive.service.keytab hive 700 hive:hadoop
    Oozie oozie.service.keytab oozie 700 oozie:hadoop
    Oozie spnego.service.keytab HTTP 700 oozie:hadoop
    WebHCat spnego.service.keytab HTTP 700 webhcat:hadoop

  5. On each of the node in your cluster, change directory to the keytab directory (the location is specified by the keytabdir property in the gsInstaller.properties file).

  6. Copy the appropriate keytab file on each of node in your cluster.

  7. Follow the steps listed in Step 2-2 through Step 2-4 above for creating keytab files and principals for the following users. Use the following mandatory naming conventions:

    Table 3.5. Secure deployment - Mandatory naming conventions for HDFS service and Smoke test user's keytabs and host principals
    User Keytab File Name Principal Name Permissions
    hdfs:hadoop $hdfsuser.headless.keytab hdfs 700
    hdptestuser:hadoop $smoke_test_user.headless.keytab $smoke_test_user 700

Legal notices
loading table of contents...