I have HDP and HDF clusters each of which is Kerberos-enabled and they are separate clusters. How do I configure the PutHDFS processor for Kerberos principal and keytab so that I will be able to put files on HDFS with Nifi? How do I provide the Principal and Keytab for HDFS on the PutHDFS configuration?
@Kibrom Gebrehiwot simply grab yor keytab and your principle from the HDP cluster and place keytab each nifi node. It must be in the same directory on all nifi nodes. Also you will need your core-site.xml and hdfs-site.xml, do the same and put them on all nifi nodes on same directory structure.
here is screen shot from my config
Making sure I am clear. The keytab, core-site.xml, and hdfs-site.xml must be put on all nifi nodes and use same directory structure. meaning if you place your keytab on nifi node in /home/user1/my.keytab then all nodes you must store my.keytab under /home/user1. same goes for core-site.xml and hdfs-site.xml
You grab your core-site.xml and hdfs-site.xml from your hdp cluster or download the client config from ambari.
Thank you @Sunile Manjee for your response.
I copied the keytabs from HDP to my HDF cluster but how can I grab the principals directly from the HDP?
I have copied the Hadoop Configuration files (core-site.xml and hdfs-site.xml) to HDF directory and they are working fine.
I also tried the following:
ktaddcommand of kadmin as
kadmin -q "ktadd -k /etc/security/keytabs/hdfs.headless.keytab hdfs-hdp-cluster@DOMAIN.COM"
"kinit -kt/etc/security/keytabs/hdfs.headless.keytabhdfs-hdp-cluster@DOMAIN.COM" on the HDF node which was successful
But still unable to connect to the HDFS from PutHDFS. What could be the problem?
You should use your keytab and principle, not the service keytab. now if your nifi cluster does not have JCE set to unlimited, you may have issues. I also recently found even if you are able to kinit, it still may have issues once nifi trying to put files on kerberized hdfs. much to do with JCE not being set to unlimited. best to verify your jvm is set so. To get around this I use the following to create my keytab (not the most secure crypto):
ktutil addent -password -p yourprincple@MYDOMAIN -k 1 -e des3-cbc-sha1 mypassword wkt your.keytab q
Now a keytab is created (your.keytab). Use this keytab and your principle.
I tried all what you suggested. but with no luck.
ktutil: addent -password -p kibrom@MYDOMAIN.COM -k 1 -e des3-cbc-sha1
Password for kibrom@MYDOMAIN.COM:
ktutil: wkt /etc/security/keytabs/kibrom.keytab
slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 1 kibrom@MYDOMAIN.COM
Finally, I provided the principal and keytab to PutHDFS configuration. But the same error occurs on PutHDFS.
the kinit was not successful too.
# kinit kibrom@MYDOMAIN.COM -k -t /etc/security/keytabs/kibrom.keytab kinit: Client 'kibrom@MYDOMAIN.COM' not found in Kerberos database while getting initial credentials.
I also checked that JCE is enabled in both cluster nodes. Do I need to create the principal manually first?
@Jeff Storck I didn't have the HDP's realm defined on my Nifi's krb5.conf before. Now, I added the realm for my HDP cluster's KDC to krb5.conf of the HDF cluster, restarted the krb5kdc service, and tried again. But still the same error.