Create a Kerberos Principal and a keytab File for JobTracker
About this task
In order to use JobTracker with Kerberos, you need to create a Kerberos principal and
a keytab file. A Kerberos principal is a unique identity that represents a user or
service in a Kerberos system. The user obtains a ticket for a principal name
(through the kinit
utility) and this ticket authenticates the user
to the Kerberos server.
The keytab file contains principal names and their corresponding encrypted keys, or tickets.
Creating Kerberos Principals
About this task
Use the addprinc
command at the kadmin
console
prompt to create two principals in the same realm as the MapR cluster:
- A JobTracker user principal (used by SPNEGO webservers)
- An HTTP user principal (for nodes that handle SPNEGO traffic)
perfnode153.perf.lab
and the realm is called
dev-maprtech
, the commands to add the JobTracker principal
and the HTTP principal are:
kadmin: addprinc -randkey mapr/perfnode153.perf.lab@dev-maprtech
addprinc -randkey HTTP/perfnode153.perf.lab@dev-maprtech
Creating a keytab File
About this task
Keytabs are created or appended to by extracting keys from the KDC database using the ktadd command inside the kadmin console prompt.
To create a keytab file for the JobTracker principal, you use the same procedure that you use to create the keytab for the MapR-FS or mapred principal for a specific host.
Procedure
-
Create the keytab file for the JobTracker principal. Name this file
mapr.keytab
and put it in the directory/opt/mapr/conf
on the machine running the JobTracker server, as shown:kadmin: ktadd -k /opt/mapr/conf/mapr.keytab mapr/perfnode153.perf.lab
-
Set read-only permissions on the
mapr.keytab
file.$ sudo chmod 600 mapr:mapr /opt/mapr/conf/mapr.keytab
-
Set the file's owner to the user running the JobTracker server (usually
mapr
).$ sudo chown mapr:mapr /opt/mapr/conf/mapr.keytab
-
Copy the
mapr.keytab
file to all the nodes running Hue, Hive, httpfs, and Oozie services.