question Re: In Kerberos setting, in a HDP, how to confirm which user Principal is authenticated for the service keytab when running kinit command? in Archives of Support Questions (Read Only)

In Kerberos setting, in a HDP, how to confirm which user Principal is authenticated for the service keytab when running kinit command?

nhgodwal — Fri, 16 Sep 2022 12:24:49 GMT

I am running below command on ubuntu node where my single node hadoop cluster(kerberized) with existing Active Directory:

root@host1:~# kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-testcluster@SRV.COM

Where, hadoop_cluster_name = testcluster, Realm=SRV.COM

I am trying to access hdfs with hdfs service-principal name. But I am not sure in this command what is the user-principal who is requesting this service. Is it the "kadmin Principal" which I set during configuration setting of Kerberos?

Re: In Kerberos setting, in a HDP, how to confirm which user Principal is authenticated for the service keytab when running kinit command?

rlevas — Tue, 17 Oct 2017 23:42:58 GMT

@Neha G

Your question is unclear, however in the kinit line you posted, the principal is hdfs-testcluster@SRV.COM. This is typically the "root" user for HDFS and is generally translated to the local user with the username "hfds" using the configured auth-to-local rule set. Using this principal, you should have full access to manage HDFS.

To see the current Kerberos ticket cache for the active user, you can issue the command

klist

This will show you what identity is being used as the authenticated user, if a user was authenticated.

Re: In Kerberos setting, in a HDP, how to confirm which user Principal is authenticated for the service keytab when running kinit command?

smayani — Tue, 17 Oct 2017 23:49:30 GMT

here hdfs-testcluster@SRV.COM is your user principal. Following command will tell you the encryption type and user principle in this keytab.

# klist -kte /etc/security/keytabs/hdfs.headless.keytab
Keytab name: FILE:/etc/security/keytabs/hdfs.headless.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
# ##### hdfs-testcluster@SRV.COM (####)
# ##### hdfs-testcluster@SRV.COM (####)

when you run hdfs command, this gets translated to hdfs user by following property: hadoop.security.auth_to_local and rule: RULE:[1:$1@$0](hdfs-testcluster@SRV.COM)s/.*/hdfs/

Re: In Kerberos setting, in a HDP, how to confirm which user Principal is authenticated for the service keytab when running kinit command?

Shelton — Tue, 17 Oct 2017 23:54:35 GMT

@Neha G

In a kerberized cluster there are 2 types of keytabs or principals headless and service principals.

Headless principals are not bound to a specific host or node and are presented like @ SRV.COM

Service principals are bound to a specific service and host or node, and are presented like with syntax: /@ SRV.COM

So when you initialize the hdfs.headless.keytab is as DoAs so the user will take hdfs permissions