Cloudera Community

Archives of Support Questions (Read Only)

This is an archived board for historical reference. Information and links may no longer be available or relevant
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
This board is archived and read-only for historical reference. To ask a new question, please post a new topic on the appropriate active board.
Solved Go to solution

In Kerberos setting, in a HDP, how to confirm which user Principal is authenticated for the service keytab when running kinit command?

avatar
author-rank nhgodwal
New Member

Created on ‎10-17-2017 04:34 PM - edited ‎09-16-2022 05:24 AM

I am running below command on ubuntu node where my single node hadoop cluster(kerberized) with existing Active Directory:

root@host1:~# kinit -kt /etc/security/keytabs/hdfs.headless.keytab [email protected]

Where, hadoop_cluster_name = testcluster, Realm=SRV.COM

I am trying to access hdfs with hdfs service-principal name. But I am not sure in this command what is the user-principal who is requesting this service. Is it the "kadmin Principal" which I set during configuration setting of Kerberos?

3,132 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank smayani
Super Collaborator

Created ‎10-17-2017 04:49 PM

here [email protected] is your user principal. Following command will tell you the encryption type and user principle in this keytab.

# klist -kte /etc/security/keytabs/hdfs.headless.keytab
Keytab name: FILE:/etc/security/keytabs/hdfs.headless.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
# ##### [email protected] (####)
# ##### [email protected] (####)

when you run hdfs command, this gets translated to hdfs user by following property: hadoop.security.auth_to_local and rule: RULE:[1:$1@$0]([email protected])s/.*/hdfs/

View solution in original post

2,946 Views
0 Kudos
3 REPLIES 3

avatar
author-rank rlevas
Guru

Created ‎10-17-2017 04:42 PM

@Neha G

Your question is unclear, however in the kinit line you posted, the principal is [email protected]. This is typically the "root" user for HDFS and is generally translated to the local user with the username "hfds" using the configured auth-to-local rule set. Using this principal, you should have full access to manage HDFS.

To see the current Kerberos ticket cache for the active user, you can issue the command

klist

This will show you what identity is being used as the authenticated user, if a user was authenticated.

2,946 Views
0 Kudos

avatar
author-rank smayani
Super Collaborator

Created ‎10-17-2017 04:49 PM

here [email protected] is your user principal. Following command will tell you the encryption type and user principle in this keytab.

# klist -kte /etc/security/keytabs/hdfs.headless.keytab
Keytab name: FILE:/etc/security/keytabs/hdfs.headless.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
# ##### [email protected] (####)
# ##### [email protected] (####)

when you run hdfs command, this gets translated to hdfs user by following property: hadoop.security.auth_to_local and rule: RULE:[1:$1@$0]([email protected])s/.*/hdfs/

2,947 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎10-17-2017 04:54 PM

@Neha G

In a kerberized cluster there are 2 types of keytabs or principals headless and service principals.

Headless principals are not bound to a specific host or node and are presented like @ SRV.COM

Service principals are bound to a specific service and host or node, and are presented like with syntax: /@ SRV.COM

So when you initialize the hdfs.headless.keytab is as DoAs so the user will take hdfs permissions

2,946 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Lineage Custom Lineage Connector Relaunch
What's New @ Cloudera
Product Update: Cloudera Flow Management Operator for Kubern...
What's New @ Cloudera
Product Update: Cloudera Data Flow v3.1 for Cloudera on Clou...
Community Announcements
May 2026 Community Highlights
Community Announcements
Testing the tags to new post
View More Announcements