Created on 10-17-2017 04:34 PM - edited 09-16-2022 05:24 AM
I am running below command on ubuntu node where my single node hadoop cluster(kerberized) with existing Active Directory:
root@host1:~# kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-testcluster@SRV.COM
Where, hadoop_cluster_name = testcluster, Realm=SRV.COM
I am trying to access hdfs with hdfs service-principal name. But I am not sure in this command what is the user-principal who is requesting this service. Is it the "kadmin Principal" which I set during configuration setting of Kerberos?
Created 10-17-2017 04:49 PM
here hdfs-testcluster@SRV.COM is your user principal. Following command will tell you the encryption type and user principle in this keytab.
# klist -kte /etc/security/keytabs/hdfs.headless.keytab Keytab name: FILE:/etc/security/keytabs/hdfs.headless.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- # ##### hdfs-testcluster@SRV.COM (####) # ##### hdfs-testcluster@SRV.COM (####)
when you run hdfs command, this gets translated to hdfs user by following property: hadoop.security.auth_to_local and rule: RULE:[1:$1@$0](hdfs-testcluster@SRV.COM)s/.*/hdfs/
Created 10-17-2017 04:42 PM
Your question is unclear, however in the kinit line you posted, the principal is hdfs-testcluster@SRV.COM. This is typically the "root" user for HDFS and is generally translated to the local user with the username "hfds" using the configured auth-to-local rule set. Using this principal, you should have full access to manage HDFS.
To see the current Kerberos ticket cache for the active user, you can issue the command
klist
This will show you what identity is being used as the authenticated user, if a user was authenticated.
Created 10-17-2017 04:49 PM
here hdfs-testcluster@SRV.COM is your user principal. Following command will tell you the encryption type and user principle in this keytab.
# klist -kte /etc/security/keytabs/hdfs.headless.keytab Keytab name: FILE:/etc/security/keytabs/hdfs.headless.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- # ##### hdfs-testcluster@SRV.COM (####) # ##### hdfs-testcluster@SRV.COM (####)
when you run hdfs command, this gets translated to hdfs user by following property: hadoop.security.auth_to_local and rule: RULE:[1:$1@$0](hdfs-testcluster@SRV.COM)s/.*/hdfs/
Created 10-17-2017 04:54 PM
In a kerberized cluster there are 2 types of keytabs or principals headless and service principals.
Headless principals are not bound to a specific host or node and are presented like @ SRV.COM
Service principals are bound to a specific service and host or node, and are presented like with syntax: /@ SRV.COM
So when you initialize the hdfs.headless.keytab is as DoAs so the user will take hdfs permissions