Support Questions

Find answers, ask questions, and share your expertise

Kerberos Enable first time

avatar
Explorer

Hi,

I have HDP installed on my cluster.Now next task is to enable kerberos for HDP cluster .Can some one point me to step by step documentation please?Do i need AD/LDAP as well.Its a development cluster .

1 ACCEPTED SOLUTION

avatar
Master Mentor

@Mudit Kumar

Testing for HIVE or HBASE straightforward too just similar to the previous

Without Kerberos ticket

From ROOT switch to user hive/hbase

# su - hive 

or

# su - hbase 

Check if hdfs has a ticket

$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1013) 

If you see some output different from the above destroy the ticket

$ kdestroy 

Try accessing hive or Hbase shell CLI

$ hive 

or

$hbase-shell 

When you press "ENTER" this should give you an error for both hive and hbase

Test with kerberos for hive

$ klist -ket /etc/security/keytabs/hive.keytab
Keytab name: FILE:/etc/security/keytabs/hive.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 05/10/18 22:25:31 hive-{host_name}@{YOUR_REALM} (des3-cbc-sha1)
   1 05/10/18 22:25:31 hive-{host_name}@{YOUR_REALM} (aes058-cts-hmac-sha1-96)
   1 05/10/18 22:25:31 hive-{host_name}@{YOUR_REALM} (arcfour-hmac)
   1 05/10/18 22:25:31 hive-{host_name}@{YOUR_REALM} (des-cbc-md5)
   1 05/10/18 22:25:31 hive-{host_name}@{YOUR_REALM} (aes256-cts-hmac-sha1-96) 

Test with kerberos for hbase

$ klist -ket /etc/security/keytabs/hbase.keytab
Keytab name: FILE:/etc/security/keytabs/hbase.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 05/10/18 22:25:31 hbase-{host_name}@{YOUR_REALM} (des3-cbc-sha1)
   1 05/10/18 22:25:31 hbase-{host_name}@{YOUR_REALM} (aes058-cts-hmac-sha1-96)
   1 05/10/18 22:25:31 hbase-{host_name}@{YOUR_REALM} (arcfour-hmac)
   1 05/10/18 22:25:31 hbase-{host_name}@{YOUR_REALM} (des-cbc-md5)
   1 05/10/18 22:25:31 hbase-{host_name}@{YOUR_REALM} (aes256-cts-hmac-sha1-96) 

Note the difference with below command it won't give you the encryption

Check principal for hive

$ klist -kt /etc/security/keytabs/hive.keytab
Keytab name: FILE:/etc/security/keytabs/hive.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 05/10/18 22:25:31 hive-{host_name}@{YOUR_REALM} 
   1 05/10/18 22:25:31 hive-{host_name}@{YOUR_REALM} 
   1 05/10/18 22:25:31 hive-{host_name}@{YOUR_REALM} 
   1 05/10/18 22:25:31 hive-{host_name}@{YOUR_REALM} 
   1 05/10/18 22:25:31 hive-{host_name}@{YOUR_REALM} 

Check principal for hbase

 $ klist -kt /etc/security/keytabs/hbase.keytab
Keytab name: FILE:/etc/security/keytabs/hbase.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 05/10/18 22:25:31 hbase-{host_name}@{YOUR_REALM} 
   1 05/10/18 22:25:31 hbase-{host_name}@{YOUR_REALM} 
   1 05/10/18 22:25:31 hbase-{host_name}@{YOUR_REALM} 
   1 05/10/18 22:25:31 hbase-{host_name}@{YOUR_REALM} 
   1 05/10/18 22:25:31 hbase-{host_name}@{YOUR_REALM} 

Grab a ticket, note I switch to kinit NOT klist and I append the principal for

hive-{host_name}@{YOUR_REALM} or hbase-{host_name}@{YOUR_REALM} to the keytab

$kinit -kt /etc/security/keytabs/hive.keytab hive-{host_name}@{YOUR_REALM} 

or

$kinit -kt /etc/security/keytabs/hbase.keytab hbase-{host_name}@{YOUR_REALM} 

Now I should have a valid ticket as shown below for either hive or hbase

$ klist 
Ticket cache: FILE:/tmp/krb5cc_507 
Default principal: hive-{host_name}@{YOUR_REALM} 
Valid starting 		Expires 	   Service principal 
xx/xx/xx xx:xx:xx 	xx/xx/xx xx:xx:xx  krbtgt/{YOUR_REALM}@{YOUR_REALM}   renew until xx/xx/xx xx:xx:xx 

Now I should be able to connect to hive CLI

$ hive 

After some time you should have the below output

$ hive
WARNING: Use "yarn jar" to launch YARN applications
................
Logging initialized using configuration in file:/etc/hive/2.5.0.0-817/0/hive-log4j.properties
hive>

Now you can run all the hive queries

For hbase

$ klist 
Ticket cache: FILE:/tmp/krb5cc_507 
Default principal: hbase-{host_name}@{YOUR_REALM} 
Valid starting 		Expires Service 	principal 
xx/xx/xx xx:xx:xx 	xx/xx/xx xx:xx:xx 	krbtgt/{YOUR_REALM}@{YOUR_REALM}renew until xx/xx/xx xx:xx:xx 

Now I should be able to connect to hbase shell and there shouldn't be any error

$ hbase shell 
HBase Shell; enter 'help<RETURN>' for list of supported commands.
Type "exit<RETURN>" to leave the HBase Shell
Version 0.94.23, rf42302b28aceaab773b15f234aa8718fff7eea3c, Thursday  May 10 18:54:09 UTC 2018
hbase(main):001:0>

Voila, you are done.

As reiterated please "Accept " and close the thread. You can open a new thread as this has become long 🙂


View solution in original post

11 REPLIES 11

avatar
Master Mentor

@Mudit Kumar

Hopefully, this helped. If it did, please 'Accept' and 'upvote' the answer hence closing the thread.

Thank you!!

avatar
Explorer

@Geoffrey Shelton Okot:Now i need to access my HDP cluster from my Laptop using curl/rest API but i am not able to do so.My laptop is in different AD domain.I tried enabling SPENGO/HTTP as well but no luck.Curl call works inside the cluster but not from outside.Any documentation help on that?