Create a Kerberos Principal and a keytab File for the CLDB
To use Kerberos to generate MapR tickets for users, enable Kerberos on the CLDB by creating a Kerberos identity on the Kerberos server used by the cluster. Then distribute that identity to the other CLDB nodes in the cluster.
If you are using strong encryption with Kerberos and the Oracle JDK, you will require a new Java Cryptography Extension (JCE) policy file.
MapR clusters do not provide a Kerberos infrastructure. This section assumes you have a functioning Kerberos realm and your systems have the Kerberos client installed. The tips in this section assume a Linux-based Kerberos environment, and the specific commands for your environment may vary. Please consult with your Kerberos administrator for assistance.
Creating a Kerberos Identity for the CLDB
configure.sh
or
edit the mapr-clusters.conf
file to change this default. Use the following
commands in a Linux-based Kerberos environment to set up the
identity:kadmin
: addprinc -randkey mapr/my.cluster.com
: ktadd -k /opt/mapr/conf/mapr.keytab mapr/my.cluster.com
Copy the resulting mapr.keytab
file to the same location on every CLDB
node. The mapr.keytab
file must be owned and readable only by the
mapr
user. You can specify the location of the
mapr.keytab
file in the conf/mapr.login.conf
file. The
default location for mapr.keytab
is /opt/mapr/conf
.
Updating the keytab File
You can use the kadmin
tool to update the server keys that are stored in
the keytab file. Because the server tickets used to authenticate to the CLDB use the new
keys immediately, you must copy the new keytab file to all the CLDB servers in the cluster
immediately after updating the server keys.
kadmin
: ktadd -k /opt/mapr/conf/mapr.keytab mapr/my.cluster.com
The CLDB automatically detects changes to the keytab file on systems that use Java 7 or later.
Systems that use Java 6 require a CLDB restart to detect changes to the keytab file. In MapR Versions 4.0.1 and later, Java 6 is deprecated in favor of Java 7 and Java 8.
Kerberos Command Summary
- kinit: Creates a Kerberos ticket. Prompts the user for userid and password. After
validating, Kerberos creates a ticket file in /tmp that is owned by the user. Use the
-R
option to renew an existing ticket. Kerberos credentials expire in 8-10 hours. Expired credentials must be renewed or replaced. By default, tickets can be renewed for up to 24 hours. - klist: Lists the contents of the user's ticket file.
- kdestroy: Destroys the contents of the user's ticket file. The user is no longer authenticated.
- kadmin: Used to administer Kerberos. The login for this command is implicitly
<userid>/admin
, since administrator ids typically end in/admin
. - ktutil: Kerberos keytab maintenance utility. Used to combine, or alter Kerberos keytabs.