Support Questions

Find answers, ask questions, and share your expertise

Can CDH5.3 Sentry work without Kerberos?

avatar
Contributor

I am trying to evaluate Sentry in the CDH5.3 virtual machine provided by Cloudera.  Unfortunately I am having a lot of problems getting it to even work and I throught I'd check that my assumption that I can even get it to work is correct.

 

In this ( http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/cm_sg_sentry_service.ht... ) documentation the prereqisites say:

I don't have kerberos or LDAP (since I'm in the virtual machine) so I override the HiveServer2/Hive Metastore requirement for strong authentication.

 

The last prerequisite says I need to implement Kerberos authentication.  Is this only if I want Impala to work; or will it stop Sentry from working entirely.

 

 

Thanks

Ty

 

1 ACCEPTED SOLUTION

avatar
Expert Contributor

The original script Eric Sammer wrote up used to be working when CM didn't have the wizard which enables Kerberos. I made some changes with his.

Please use mine instead and specify the password as cloudera in the wizard.

 

See also the step 7 in my github page.

 

https://github.com/daisukebe/krb-bootstrap

 

daisukebe has changed the behavior for configuring Kerberos with Cloudera Manager 5.1 (and above). Then this script just generates a principal as cloudera-scm/admin for CM with a password as 'cloudera'.

View solution in original post

12 REPLIES 12

avatar
Expert Contributor

Sentry is a service for strong authorization over Hadoop cluster, so that the cluster needs to be strongly authenticated using Kerberos or LDAP before you integrate Sentry.

avatar
Contributor

Just to be 100% sure are you saying that it is not possible to implement Sentry with the virtual machine alone since it does not have any kerberos functionality inbuilt?

avatar
Expert Contributor

Kerberos (KDC) is not included with the VM, but you can easily configure KDC server by yourself in the VM.

I usually run krb-bootstrap for this kinds of test purpose: https://github.com/daisukebe/krb-bootstrap.

avatar
Contributor

Thanks I'll give it a try.

avatar
Expert Contributor
You're welcome!

avatar
Contributor

I'm afraid it's not smooth sailing on this one.  I found the github project here: https://github.com/esammer/krb-bootstrap

 

It all seems to work ok.  I seem to get Kerberos and a realm (CLOUDERA) and a principal (cloudera-scm/admin).  After some searching I managed to set the password for cloudera-scm/admin usinf the command line tool kadmin.local

 

Unfortunately when I get to step 5 (import KDC Account Manager Credentials) of the Coudera Manager kerberos setup wizard I get the following message.  I'm afraid I'm stuck again and could use some help if anyone knows how to get past this problem.

 

/usr/share/cmf/bin/import_credentials.sh failed with exit code 1 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/sbin:/usr/sbin:/bin:/usr/bin
+ KEYTAB_OUT=/var/run/REDACTED-scm-server/cmf242896655772090475.keytab
+ USER=REDACTED-scm/admin@CLOUDERA
+ PASSWD=REDACTED
+ KVNO=1
+ SLEEP=0
+ RHEL_FILE=/etc/redhat-release
+ '[' -f /etc/redhat-release ']'
+ set +e
+ grep Tikanga /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ '[' 0 -eq 0 ']'
+ grep 'CentOS release 5' /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ '[' 0 -eq 0 ']'
+ grep 'Scientific Linux release 5' /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ set -e
+ '[' -z /etc/krb5.conf ']'
+ echo 'Using custom config path '\''/etc/krb5.conf'\'', contents below:'
+ cat /etc/krb5.conf
+ IFS=' '
+ read -a ENC_ARR
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p REDACTED-scm/admin@CLOUDERA -k 1 -e des-hmac-sha1'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ echo 'wkt /var/run/REDACTED-scm-server/cmf242896655772090475.keytab'
+ ktutil
+ chmod 600 /var/run/REDACTED-scm-server/cmf242896655772090475.keytab
+ kinit -k -t /var/run/REDACTED-scm-server/cmf242896655772090475.keytab REDACTED-scm/admin@CLOUDERA
kinit: Key table entry not found while getting initial credentials

>>

 

avatar
Contributor

ok, I posted too soon.  I seem to have solved it.

 

I addedd all the key algorithms that kadmin.local listed when I did a get_principal on the cloudera-scm/admin principal.

 

Restarting the cluster now...

avatar
Expert Contributor

The original script Eric Sammer wrote up used to be working when CM didn't have the wizard which enables Kerberos. I made some changes with his.

Please use mine instead and specify the password as cloudera in the wizard.

 

See also the step 7 in my github page.

 

https://github.com/daisukebe/krb-bootstrap

 

daisukebe has changed the behavior for configuring Kerberos with Cloudera Manager 5.1 (and above). Then this script just generates a principal as cloudera-scm/admin for CM with a password as 'cloudera'.

avatar
Expert Contributor

Before you do try mine, please uninstall krb5-server and krb5-workstation packages.