Create a Kerberos Principal and a keytab File for HttpFS
About this task
Skip this task if you are not using HttpFS.
Each node running the httpFS service must have a keytab file
(/opt/mapr/conf/mapr.keytab
) and these two principals:
HTTP/<fully.qualified.domain.name>
mapr/<fully.qualified.domain.name>
For complete instructions on generating a Kerberos principal and keytab file, see Configuring Kerberos User Authentication.
keytab
already exists, and if it contains the
two necessary principals, run the klist
command with the
-k
(keytab keys), -e
(encryption type) and
-t
(timestamp)
options.$ klist -ket /opt/mapr/conf/mapr.keytab
The output from this command displays the following information:
- KVNO (key version number)
- Timestamp (the time the key was generated)
- Principal names
- Encryption types
If the keytab file does not exist, or does not contain both principals, generate them by following these steps.
Procedure
-
Generate a Kerberos principal for the mapr user.
The principal is of the form
wheremapr/<fully.qualified.domain.name>@<your-realm>.com
<fully.qualified.domain.name>
is unique for each httpFS node.In the following example,perfnode153.perf.lab@dev-maprtech.com
is used for the<fully.qualified.domain.name>@<your-realm>.com
.$ kadmin kadmin: addprinc -randkey mapr/perfnode153.perf.lab@dev-maprtech.com
-
Generate a Kerberos principal for
HTTP/<fully.qualified.domain.name>
. This is required for Kerberos authentication of the httpFS server using HTTP SPNEGO.$ kadmin kadmin: addprinc -randkey HTTP/perfnode153.perf.lab@dev-maprtech.com
-
If the current node does not already have a keytab file created for another
service, create one and name it
mapr.keytab
.kadmin: ktadd -k /opt/mapr/conf/mapr.keytab mapr/perfnode153.perf.lab
Note that each node references the same keytab file (usually located at
/opt/mapr/conf/mapr.keytab
), and each keytab file can have multiple principals. -
Change the owner of the keytab file from the
root
user (the default) to themapr
user.$ chown mapr:mapr /opt/mapr/conf/mapr.keytab
-
Set read-only permissions on the
mapr.keytab
file.$ chmod 600 mapr:mapr /opt/mapr/conf/mapr.keytab
-
Verify credentials in the keytab file:
To test that the credentials in the mapr.keytab file work, run the klist command with the -k (keytab keys), -e (encryption type) and -t (timestamp) options.
$ klist -ket /opt/mapr/conf/mapr.keytab
Verify that the output lists only one key version number (KVNO) for each principal name. If you see the same principal listed more than once with a different key version number, this could indicate a problem. The latest version number is used, which means you might not be able to log into the node and authenticate with your user credentials.
Sample output for a node that has the httpFS and CLDB services installed is shown below.Keytab name: FILE:/opt/mapr/conf/mapr.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 2 07/18/14 18:50:07 mapr/perfnode153.perf.lab@dev-maprtech (aes256-cts-hmac-sha1-96) 2 07/18/14 18:50:07 mapr/perfnode153.perf.lab@dev-maprtech (arcfour-hmac) 2 07/18/14 18:50:08 mapr/perfnode153.perf.lab@dev-maprtech (des3-cbc-sha1) 2 07/18/14 18:50:08 mapr/perfnode153.perf.lab@dev-maprtech (des-cbc-crc) 2 07/18/14 18:50:26 HTTP/perfnode153.perf.lab@dev-maprtech (aes256-cts-hmac-sha1-96) 2 07/18/14 18:50:26 HTTP/perfnode153.perf.lab@dev-maprtech (arcfour-hmac) 2 07/18/14 18:50:26 HTTP/perfnode153.perf.lab@dev-maprtech (des3-cbc-sha1) 2 07/18/14 18:50:26 HTTP/perfnode153.perf.lab@dev-maprtech (des-cbc-crc) 6 07/18/14 18:50:56 mapr/my.cluster.com@dev-maprtech (aes256-cts-hmac-sha1-96) 6 07/18/14 18:50:56 mapr/my.cluster.com@dev-maprtech (arcfour-hmac) 6 07/18/14 18:50:56 mapr/my.cluster.com@dev-maprtech (des3-cbc-sha1) 6 07/18/14 18:50:57 mapr/my.cluster.com@dev-maprtech (des-cbc-crc)
In the example, the following principals are listed for the node
perfnode153.perf.lab
:-
(for authenticating to the httpFS service)mapr/perfnode153.perf.lab@dev-maprtech
(for communicating securely over HTTP)HTTP/perfnode153.perf.lab@dev-maprtech
(for authenticating to the CLDB service)mapr/my.cluster.com
-
-
Verify that
context.xml.jpamLogin
exists in this location:/opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/META-INF/context.xml.jpamLogin.
This file may have been renamed tocontext.xml
to configure PAM authentication for HttpFS. However, to configure Kerberos for HttpFS, rename the file back tocontext.xml.jpamLogin
.mv /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/META-INF/context.xml /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/META-INF/context.xml.jpamLogin