Archives of Support Questions (Read Only)

muditcse · ‎05-06-2018

Hi,

I have HDP installed on my cluster.Now next task is to enable kerberos for HDP cluster .Can some one point me to step by step documentation please?Do i need AD/LDAP as well.Its a development cluster .

Shelton · ‎05-10-2018

@Mudit Kumar

Testing for HIVE or HBASE straightforward too just similar to the previous

Without Kerberos ticket

From ROOT switch to user hive/hbase

# su - hive

or

# su - hbase

Check if hdfs has a ticket

$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1013)

If you see some output different from the above destroy the ticket

$ kdestroy

Try accessing hive or Hbase shell CLI

$ hive

or

$hbase-shell

When you press "ENTER" this should give you an error for both hive and hbase

Test with kerberos for hive

$ klist -ket /etc/security/keytabs/hive.keytab
Keytab name: FILE:/etc/security/keytabs/hive.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 05/10/18 22:25:31 hive-{host_name}@{YOUR_REALM} (des3-cbc-sha1)
   1 05/10/18 22:25:31 hive-{host_name}@{YOUR_REALM} (aes058-cts-hmac-sha1-96)
   1 05/10/18 22:25:31 hive-{host_name}@{YOUR_REALM} (arcfour-hmac)
   1 05/10/18 22:25:31 hive-{host_name}@{YOUR_REALM} (des-cbc-md5)
   1 05/10/18 22:25:31 hive-{host_name}@{YOUR_REALM} (aes256-cts-hmac-sha1-96)

Test with kerberos for hbase

$ klist -ket /etc/security/keytabs/hbase.keytab
Keytab name: FILE:/etc/security/keytabs/hbase.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 05/10/18 22:25:31 hbase-{host_name}@{YOUR_REALM} (des3-cbc-sha1)
   1 05/10/18 22:25:31 hbase-{host_name}@{YOUR_REALM} (aes058-cts-hmac-sha1-96)
   1 05/10/18 22:25:31 hbase-{host_name}@{YOUR_REALM} (arcfour-hmac)
   1 05/10/18 22:25:31 hbase-{host_name}@{YOUR_REALM} (des-cbc-md5)
   1 05/10/18 22:25:31 hbase-{host_name}@{YOUR_REALM} (aes256-cts-hmac-sha1-96)

Note the difference with below command it won't give you the encryption

Check principal for hive

$ klist -kt /etc/security/keytabs/hive.keytab
Keytab name: FILE:/etc/security/keytabs/hive.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 05/10/18 22:25:31 hive-{host_name}@{YOUR_REALM} 
   1 05/10/18 22:25:31 hive-{host_name}@{YOUR_REALM} 
   1 05/10/18 22:25:31 hive-{host_name}@{YOUR_REALM} 
   1 05/10/18 22:25:31 hive-{host_name}@{YOUR_REALM} 
   1 05/10/18 22:25:31 hive-{host_name}@{YOUR_REALM}

Check principal for hbase

 $ klist -kt /etc/security/keytabs/hbase.keytab
Keytab name: FILE:/etc/security/keytabs/hbase.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 05/10/18 22:25:31 hbase-{host_name}@{YOUR_REALM} 
   1 05/10/18 22:25:31 hbase-{host_name}@{YOUR_REALM} 
   1 05/10/18 22:25:31 hbase-{host_name}@{YOUR_REALM} 
   1 05/10/18 22:25:31 hbase-{host_name}@{YOUR_REALM} 
   1 05/10/18 22:25:31 hbase-{host_name}@{YOUR_REALM}

Grab a ticket, note I switch to kinit NOT klist and I append the principal for

hive-{host_name}@{YOUR_REALM} or hbase-{host_name}@{YOUR_REALM} to the keytab

$kinit -kt /etc/security/keytabs/hive.keytab hive-{host_name}@{YOUR_REALM}

or

$kinit -kt /etc/security/keytabs/hbase.keytab hbase-{host_name}@{YOUR_REALM}

Now I should have a valid ticket as shown below for either hive or hbase

$ klist 
Ticket cache: FILE:/tmp/krb5cc_507 
Default principal: hive-{host_name}@{YOUR_REALM} 
Valid starting 		Expires 	   Service principal 
xx/xx/xx xx:xx:xx 	xx/xx/xx xx:xx:xx  krbtgt/{YOUR_REALM}@{YOUR_REALM}   renew until xx/xx/xx xx:xx:xx

Now I should be able to connect to hive CLI

$ hive

After some time you should have the below output

$ hive
WARNING: Use "yarn jar" to launch YARN applications
................
Logging initialized using configuration in file:/etc/hive/2.5.0.0-817/0/hive-log4j.properties
hive>

Now you can run all the hive queries

For hbase

$ klist 
Ticket cache: FILE:/tmp/krb5cc_507 
Default principal: hbase-{host_name}@{YOUR_REALM} 
Valid starting 		Expires Service 	principal 
xx/xx/xx xx:xx:xx 	xx/xx/xx xx:xx:xx 	krbtgt/{YOUR_REALM}@{YOUR_REALM}renew until xx/xx/xx xx:xx:xx

Now I should be able to connect to hbase shell and there shouldn't be any error

$ hbase shell 
HBase Shell; enter 'help<RETURN>' for list of supported commands.
Type "exit<RETURN>" to leave the HBase Shell
Version 0.94.23, rf42302b28aceaab773b15f234aa8718fff7eea3c, Thursday  May 10 18:54:09 UTC 2018
hbase(main):001:0>

Voila, you are done.

As reiterated please "Accept " and close the thread. You can open a new thread as this has become long 🙂

View solution in original post

Shelton · ‎05-11-2018

@Mudit Kumar

Hopefully, this helped. If it did, please 'Accept' and 'upvote' the answer hence closing the thread.

Thank you!!

muditcse · ‎06-23-2018

@Geoffrey Shelton Okot:Now i need to access my HDP cluster from my Laptop using curl/rest API but i am not able to do so.My laptop is in different AD domain.I tried enabling SPENGO/HTTP as well but no luck.Curl call works inside the cluster but not from outside.Any documentation help on that?

Cloudera Community

Archives of Support Questions (Read Only)

Kerberos Enable first time