Maybe this question has been managed but after struggling a week with kerberos i can not find the right way to do it:
What is working:
I know that if i provide the kafka/hadoop-X.poc.domain.tld to anynone and then he runs a kinit -kt keytab, should work but this is not a secure way to do so. I want to create new users or even better, grant to AD users the possibility to using is own credentials and kerberos, access the kafka brokers and being authorized by Ranger.
Ranger is running but at the moment it is connected only to the unix account: has to be connected to AD to get this working?
Sorry if this question is one like "how i can be rich" but i am a little lost.
I managed to using this guide create a kafkapro4 user and i copied the keytab to the hadoop-X nodes on the right folder. But when i want to run the kinit -kt keytab ServiceAccout, it answer me:
kinit -kt kafkapro.service.keytab kafkapro/hadoop-1.poc.domain.local@domain.LOCAL kinit: Client 'kafkapro4/hadoop-1.poc.domain.local@DOMAIN.LOCAL' not found in Kerberos database while getting initial credentials
So i am quite a bit lost how to manage it.
If you have users in AD/LDAP that you want to grant permissions to via Ranger, then you'll need to configure Ranger to sync with AD/LDAP. Another alternative is to use something like SSSD at the OS layer which would make AD/LDAP accounts appear as local UNIX accounts. Then that should be transparent to Ranger.
I think that might do what you are looking for, but I'm not really a Kerberos expert.
Finally we go without Kerberos. it is really a pain.
We will research go for Knox with SSL and LDAP......i think i will live better rather to have such pain of Kerberos 🙂