Create a Kerberos Principal and a keytab File for JobTracker
About this task
In order to use JobTracker with Kerberos, you need to create a Kerberos principal and
a keytab file. A Kerberos principal is a unique identity that represents a user or
service in a Kerberos system. The user obtains a ticket for a principal name
(through the kinit utility) and this ticket authenticates the user
to the Kerberos server.
The keytab file contains principal names and their corresponding encrypted keys, or tickets.
Creating Kerberos Principals
About this task
Use the addprinc command at the kadmin console
prompt to create two principals in the same realm as the MapR cluster:
- A JobTracker user principal (used by SPNEGO webservers)
- An HTTP user principal (for nodes that handle SPNEGO traffic)
perfnode153.perf.lab and the realm is called
dev-maprtech, the commands to add the JobTracker principal
and the HTTP principal are:
kadmin: addprinc -randkey mapr/perfnode153.perf.lab@dev-maprtech
addprinc -randkey HTTP/perfnode153.perf.lab@dev-maprtechCreating a keytab File
About this task
Keytabs are created or appended to by extracting keys from the KDC database using the ktadd command inside the kadmin console prompt.
To create a keytab file for the JobTracker principal, you use the same procedure that you use to create the keytab for the MapR-FS or mapred principal for a specific host.
Procedure
-
Create the keytab file for the JobTracker principal. Name this file
mapr.keytaband put it in the directory/opt/mapr/confon the machine running the JobTracker server, as shown:kadmin: ktadd -k /opt/mapr/conf/mapr.keytab mapr/perfnode153.perf.lab -
Set read-only permissions on the
mapr.keytabfile.$ sudo chmod 600 mapr:mapr /opt/mapr/conf/mapr.keytab -
Set the file's owner to the user running the JobTracker server (usually
mapr).$ sudo chown mapr:mapr /opt/mapr/conf/mapr.keytab -
Copy the
mapr.keytabfile to all the nodes running Hue, Hive, httpfs, and Oozie services.