Support Questions

nhgodwal · ‎10-17-2017

I am running below command on ubuntu node where my single node hadoop cluster(kerberized) with existing Active Directory:

root@host1:~# kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-testcluster@SRV.COM

Where, hadoop_cluster_name = testcluster, Realm=SRV.COM

I am trying to access hdfs with hdfs service-principal name. But I am not sure in this command what is the user-principal who is requesting this service. Is it the "kadmin Principal" which I set during configuration setting of Kerberos?

smayani · ‎10-17-2017

here hdfs-testcluster@SRV.COM is your user principal. Following command will tell you the encryption type and user principle in this keytab.

# klist -kte /etc/security/keytabs/hdfs.headless.keytab
Keytab name: FILE:/etc/security/keytabs/hdfs.headless.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
# ##### hdfs-testcluster@SRV.COM (####)
# ##### hdfs-testcluster@SRV.COM (####)

when you run hdfs command, this gets translated to hdfs user by following property: hadoop.security.auth_to_local and rule: RULE:[1:$1@$0](hdfs-testcluster@SRV.COM)s/.*/hdfs/

View solution in original post

rlevas · ‎10-17-2017

@Neha G

Your question is unclear, however in the kinit line you posted, the principal is hdfs-testcluster@SRV.COM. This is typically the "root" user for HDFS and is generally translated to the local user with the username "hfds" using the configured auth-to-local rule set. Using this principal, you should have full access to manage HDFS.

To see the current Kerberos ticket cache for the active user, you can issue the command

klist

This will show you what identity is being used as the authenticated user, if a user was authenticated.

smayani · ‎10-17-2017

here hdfs-testcluster@SRV.COM is your user principal. Following command will tell you the encryption type and user principle in this keytab.

# klist -kte /etc/security/keytabs/hdfs.headless.keytab
Keytab name: FILE:/etc/security/keytabs/hdfs.headless.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
# ##### hdfs-testcluster@SRV.COM (####)
# ##### hdfs-testcluster@SRV.COM (####)

when you run hdfs command, this gets translated to hdfs user by following property: hadoop.security.auth_to_local and rule: RULE:[1:$1@$0](hdfs-testcluster@SRV.COM)s/.*/hdfs/

Shelton · ‎10-17-2017

@Neha G

In a kerberized cluster there are 2 types of keytabs or principals headless and service principals.

Headless principals are not bound to a specific host or node and are presented like @ SRV.COM

Service principals are bound to a specific service and host or node, and are presented like with syntax: /@ SRV.COM

So when you initialize the hdfs.headless.keytab is as DoAs so the user will take hdfs permissions

Cloudera Community

Support Questions

In Kerberos setting, in a HDP, how to confirm which user Principal is authenticated for the service keytab when running kinit command?