question Re: Can CDH5.3 Sentry work without Kerberos? in Archives of Support Questions (Read Only)

Can CDH5.3 Sentry work without Kerberos?

ty.n — Fri, 16 Sep 2022 09:21:44 GMT

I am trying to evaluate Sentry in the CDH5.3 virtual machine provided by Cloudera. Unfortunately I am having a lot of problems getting it to even work and I throught I'd check that my assumption that I can even get it to work is correct.

In this ( http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/cm_sg_sentry_service.html ) documentation the prereqisites say:

CDH 5.1.x (or later) managed by Cloudera Manager 5.1.x (or later). See the Cloudera Manager Administration Guide and Cloudera Installation and Upgrade for instructions.
HiveServer2 and the Hive Metastore running with strong authentication. For HiveServer2, strong authentication is either Kerberos or LDAP. For the Hive Metastore, only Kerberos is considered strong authentication (to override, see Securing the Hive Metastore).
Impala 1.4.0 (or later) running with strong authentication. With Impala, either Kerberos or LDAP can be configured to achieve strong authentication.
Implement Kerberos authentication on your cluster. For instructions, see Enabling Kerberos Authentication Using the Wizard

I don't have kerberos or LDAP (since I'm in the virtual machine) so I override the HiveServer2/Hive Metastore requirement for strong authentication.

The last prerequisite says I need to implement Kerberos authentication. Is this only if I want Impala to work; or will it stop Sentry from working entirely.

Thanks

Re: Can CDH5.3 Sentry work without Kerberos?

dice — Tue, 17 Feb 2015 00:10:25 GMT

Sentry is a service for strong authorization over Hadoop cluster, so that the cluster needs to be strongly authenticated using Kerberos or LDAP before you integrate Sentry.

Re: Can CDH5.3 Sentry work without Kerberos?

ty.n — Tue, 17 Feb 2015 00:12:57 GMT

Just to be 100% sure are you saying that it is not possible to implement Sentry with the virtual machine alone since it does not have any kerberos functionality inbuilt?

Re: Can CDH5.3 Sentry work without Kerberos?

dice — Tue, 17 Feb 2015 00:41:08 GMT

Kerberos (KDC) is not included with the VM, but you can easily configure KDC server by yourself in the VM.

I usually run krb-bootstrap for this kinds of test purpose: https://github.com/daisukebe/krb-bootstrap.

Re: Can CDH5.3 Sentry work without Kerberos?

ty.n — Tue, 17 Feb 2015 00:45:21 GMT

Thanks I'll give it a try.

Re: Can CDH5.3 Sentry work without Kerberos?

dice — Tue, 17 Feb 2015 01:00:44 GMT

You're welcome!

Re: Can CDH5.3 Sentry work without Kerberos?

ty.n — Tue, 17 Feb 2015 05:30:40 GMT

I'm afraid it's not smooth sailing on this one. I found the github project here: https://github.com/esammer/krb-bootstrap

It all seems to work ok. I seem to get Kerberos and a realm (CLOUDERA) and a principal (cloudera-scm/admin). After some searching I managed to set the password for cloudera-scm/admin usinf the command line tool kadmin.local

Unfortunately when I get to step 5 (import KDC Account Manager Credentials) of the Coudera Manager kerberos setup wizard I get the following message. I'm afraid I'm stuck again and could use some help if anyone knows how to get past this problem.

/usr/share/cmf/bin/import_credentials.sh failed with exit code 1 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/sbin:/usr/sbin:/bin:/usr/bin
+ KEYTAB_OUT=/var/run/REDACTED-scm-server/cmf242896655772090475.keytab
+ USER=REDACTED-scm/admin@CLOUDERA
+ PASSWD=REDACTED
+ KVNO=1
+ SLEEP=0
+ RHEL_FILE=/etc/redhat-release
+ '[' -f /etc/redhat-release ']'
+ set +e
+ grep Tikanga /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ '[' 0 -eq 0 ']'
+ grep 'CentOS release 5' /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ '[' 0 -eq 0 ']'
+ grep 'Scientific Linux release 5' /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ set -e
+ '[' -z /etc/krb5.conf ']'
+ echo 'Using custom config path '\''/etc/krb5.conf'\'', contents below:'
+ cat /etc/krb5.conf
+ IFS=' '
+ read -a ENC_ARR
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p REDACTED-scm/admin@CLOUDERA -k 1 -e des-hmac-sha1'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ echo 'wkt /var/run/REDACTED-scm-server/cmf242896655772090475.keytab'
+ ktutil
+ chmod 600 /var/run/REDACTED-scm-server/cmf242896655772090475.keytab
+ kinit -k -t /var/run/REDACTED-scm-server/cmf242896655772090475.keytab REDACTED-scm/admin@CLOUDERA
kinit: Key table entry not found while getting initial credentials

>>

Re: Can CDH5.3 Sentry work without Kerberos?

ty.n — Tue, 17 Feb 2015 05:39:53 GMT

ok, I posted too soon. I seem to have solved it.

I addedd all the key algorithms that kadmin.local listed when I did a get_principal on the cloudera-scm/admin principal.

Restarting the cluster now...

Re: Can CDH5.3 Sentry work without Kerberos?

dice — Tue, 17 Feb 2015 05:45:18 GMT

The original script Eric Sammer wrote up used to be working when CM didn't have the wizard which enables Kerberos. I made some changes with his.

Please use mine instead and specify the password as cloudera in the wizard.

Re: Can CDH5.3 Sentry work without Kerberos?

dice — Tue, 17 Feb 2015 05:46:35 GMT

Before you do try mine, please uninstall krb5-server and krb5-workstation packages.

Re: Can CDH5.3 Sentry work without Kerberos?

ty.n — Tue, 17 Feb 2015 12:44:40 GMT

Thanks for the link to your kerberos bootstrap'er. It seems to work for me. Unfortunately I ran into a secondary problem and I'm not sure how to let Cloudera know about it.

On a clean CDH5.3 virtual machine I started Cloudera Manager and then ran your kerberos bootstrapper. Then I ran the Kerberos configuration wizard in Cloudera Manager. The restart failed to complete successfully. It seemed like the Yarn NameNode was having trouble with the topology.map amd container-executer.cfg file permissions in the /var/run/cloudera-scm-agent/process/??-yarn-NODEMANAGER/ directory (note: ?? is a number generated each time I tried to restart the NodeManager).

On further inspection, and a couple snapshot reverts, I think I found the real problem. the /etc and /etc/hadoop directories have group write permissions set. This was identified in the NodeManager logs. I started again and changed the permissions to remove the group write permission on both directories - before running the Cloudera Manager Kerberos configuration wizard. This time it seems to have worked. note: I hve not yet had a chance to test kerberos actually doing anything from a hdfs/hive/pig user perspective.

Only one last glitch in the system. It looks like Spark does not have Kerberos credentials created for it. The Spark History Server is showing as critical health and its log is identifying missing Kerberos credentials. When I look at the Kerberos Credentials screen in Cloudera Manager I see credentials for all the services excpt Spark. I'm not doing anything with Spark and I don't know anything about it so I'll just stop the service for now.

I am not sure if changing the directory permissions on /etc and /etc/hadoop will adversely affect other functions; but I hope my little investigation can help others.

Re: Can CDH5.3 Sentry work without Kerberos?

dice — Tue, 17 Feb 2015 12:55:44 GMT

Thanks for the information!
Hmm, I have never met such kinds of problem, but I don't think the change
you did will break the other finctionalities.

Daisuke

Re: Can CDH5.3 Sentry work without Kerberos?

Darren — Wed, 18 Feb 2015 19:44:17 GMT

Usually /etc/ and /etc/hadoop don't have group write permissions. Not sure how they got there, but removing it seems like a good idea.