Create a Kerberos Principal and a keytab File for the CLDB

To use Kerberos to generate MapR tickets for users, enable Kerberos on the CLDB by creating a Kerberos identity on the Kerberos server used by the cluster. Then distribute that identity to the other CLDB nodes in the cluster.

WARNING:

If you are using strong encryption with Kerberos and the Oracle JDK, you will require a new Java Cryptography Extension (JCE) policy file.

MapR clusters do not provide a Kerberos infrastructure. This section assumes you have a functioning Kerberos realm and your systems have the Kerberos client installed. The tips in this section assume a Linux-based Kerberos environment, and the specific commands for your environment may vary. Please consult with your Kerberos administrator for assistance.

Creating a Kerberos Identity for the CLDB

The CLDB requires a Kerberos server identity, but no other nodes do. By default, this identity takes the form mapr/<cluster name>. You can use configure.shor edit the mapr-clusters.conf file to change this default. Use the following commands in a Linux-based Kerberos environment to set up the identity:
kadmin
        : addprinc -randkey mapr/my.cluster.com
        : ktadd -k /opt/mapr/conf/mapr.keytab mapr/my.cluster.com

Copy the resulting mapr.keytab file to the same location on every CLDB node. The mapr.keytab file must be owned and readable only by the mapr user. You can specify the location of the mapr.keytab file in the conf/mapr.login.conf file. The default location for mapr.keytab is /opt/mapr/conf.

Updating the keytab File

You can use the kadmin tool to update the server keys that are stored in the keytab file. Because the server tickets used to authenticate to the CLDB use the new keys immediately, you must copy the new keytab file to all the CLDB servers in the cluster immediately after updating the server keys.

To update the keytab file with a new key, run the following command:
kadmin
        : ktadd -k /opt/mapr/conf/mapr.keytab mapr/my.cluster.com

The CLDB automatically detects changes to the keytab file on systems that use Java 7 or later.

NOTE:

Systems that use Java 6 require a CLDB restart to detect changes to the keytab file. In MapR Versions 4.0.1 and later, Java 6 is deprecated in favor of Java 7 and Java 8.

Kerberos Command Summary

  • kinit: Creates a Kerberos ticket. Prompts the user for userid and password. After validating, Kerberos creates a ticket file in /tmp that is owned by the user. Use the -R option to renew an existing ticket. Kerberos credentials expire in 8-10 hours. Expired credentials must be renewed or replaced. By default, tickets can be renewed for up to 24 hours.
  • klist: Lists the contents of the user's ticket file.
  • kdestroy: Destroys the contents of the user's ticket file. The user is no longer authenticated.
  • kadmin: Used to administer Kerberos. The login for this command is implicitly <userid>/admin, since administrator ids typically end in /admin.
  • ktutil: Kerberos keytab maintenance utility. Used to combine, or alter Kerberos keytabs.