Support Questions

Find answers, ask questions, and share your expertise

In Kerberos setting, in a HDP, how to confirm which user Principal is authenticated for the service keytab when running kinit command?

Explorer

I am running below command on ubuntu node where my single node hadoop cluster(kerberized) with existing Active Directory:

root@host1:~# kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-testcluster@SRV.COM

Where, hadoop_cluster_name = testcluster, Realm=SRV.COM

I am trying to access hdfs with hdfs service-principal name. But I am not sure in this command what is the user-principal who is requesting this service. Is it the "kadmin Principal" which I set during configuration setting of Kerberos?

1 ACCEPTED SOLUTION

Expert Contributor

here hdfs-testcluster@SRV.COM is your user principal. Following command will tell you the encryption type and user principle in this keytab.

# klist -kte /etc/security/keytabs/hdfs.headless.keytab
Keytab name: FILE:/etc/security/keytabs/hdfs.headless.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
# ##### hdfs-testcluster@SRV.COM (####)
# ##### hdfs-testcluster@SRV.COM (####)

when you run hdfs command, this gets translated to hdfs user by following property: hadoop.security.auth_to_local and rule: RULE:[1:$1@$0](hdfs-testcluster@SRV.COM)s/.*/hdfs/

View solution in original post

3 REPLIES 3

@Neha G

Your question is unclear, however in the kinit line you posted, the principal is hdfs-testcluster@SRV.COM. This is typically the "root" user for HDFS and is generally translated to the local user with the username "hfds" using the configured auth-to-local rule set. Using this principal, you should have full access to manage HDFS.

To see the current Kerberos ticket cache for the active user, you can issue the command

klist

This will show you what identity is being used as the authenticated user, if a user was authenticated.

Expert Contributor

here hdfs-testcluster@SRV.COM is your user principal. Following command will tell you the encryption type and user principle in this keytab.

# klist -kte /etc/security/keytabs/hdfs.headless.keytab
Keytab name: FILE:/etc/security/keytabs/hdfs.headless.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
# ##### hdfs-testcluster@SRV.COM (####)
# ##### hdfs-testcluster@SRV.COM (####)

when you run hdfs command, this gets translated to hdfs user by following property: hadoop.security.auth_to_local and rule: RULE:[1:$1@$0](hdfs-testcluster@SRV.COM)s/.*/hdfs/

Mentor

@Neha G

In a kerberized cluster there are 2 types of keytabs or principals headless and service principals.

Headless principals are not bound to a specific host or node and are presented like @ SRV.COM

Service principals are bound to a specific service and host or node, and are presented like with syntax: /@ SRV.COM

So when you initialize the hdfs.headless.keytab is as DoAs so the user will take hdfs permissions

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.