Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Kerberos setup on a two node Cluster

Kerberos setup on a two node Cluster

New Contributor

Hi All,

After Kerberizing my two node cluster using the Ambari wizard it says that Kerberos is said up. hdfs groups <user> does not work anymore from a regular user. However if I sudo su hdfs, I can still run hdfs commands even without the kinit command. Is this the proper behavior or is something off with the configuration?

Any help is much appreciated!

Raffi

4 REPLIES 4

Re: Kerberos setup on a two node Cluster

@Raffi Abberbock

- Regarding your query: "I can still run hdfs commands even without the kinit command."

>> Please run the "klist" command from the "hdfs" user to see if it already has the ticket which is not expired yet. Without ticket it can not communicate to HDFS service components (if the kerberos is properly setup)

Try the following:

1). Sudo to the "hdfs" user. Or if you want to use some other user like "testuser" then you can do "su - testuser"

[root@kjss1 ~]# su - hdfs

.

2). Do a "klist" to see if you have a valid kerberos ticket or not?

[hdfs@kjss1 ~]$ klist

.

3). If you do not see any valid ticket then list the keytab. To findout what is your "Principal name" ?

[hdfs@kjss1 ~]$ klist -kte /etc/security/keytabs/hdfs.headless.keytab 


Example Output
--------------
Keytab name: FILE:/etc/security/keytabs/hdfs.headless.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   4 08/10/16 13:43:31 hdfs-JoyCluster@EXAMPLE.COM (des3-cbc-sha1) 
   4 08/10/16 13:43:31 hdfs-JoyCluster@EXAMPLE.COM (arcfour-hmac) 
   4 08/10/16 13:43:31 hdfs-JoyCluster@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 
   4 08/10/16 13:43:31 hdfs-JoyCluster@EXAMPLE.COM (des-cbc-md5) 
   4 08/10/16 13:43:31 hdfs-JoyCluster@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 

.

4). Now you can do the "kinit" to get the kerberos ticket. From above command we got to knwo about the principal name as "hdfs-JoyCluster@EXAMPLE.COM"

[hdfs@kjss1 ~]$ kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-JoyCluster@EXAMPLE.COM 


[hdfs@kjss1 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_504
Default principal: hdfs-JoyCluster@EXAMPLE.COM
Valid starting     Expires            Service principal
12/16/16 12:21:27  12/17/16 12:21:27  krbtgt/EXAMPLE.COM@EXAMPLE.COM
	renew until 12/16/16 12:21:27

.

5). Now try the hdfs commands.

.

Re: Kerberos setup on a two node Cluster

@Raffi Abberbock

If you are still getting any error / exception while doing the following then can you please share your output.

hdfs groups <user>

.

Highlighted

Re: Kerberos setup on a two node Cluster

New Contributor

Thanks! for your help! After running the klist command as the hdfs user, I see that it has a valid kerberos ticket. So anyone can sudo as the hdfs user and run the commands. Is this a common setup? I would have expected that you need to request the ticket first, but I guess ambari has set that up already.

Re: Kerberos setup on a two node Cluster

@Raffi Abberbock

You can get more information about such security feature in the following link.

https://github.com/HortonworksUniversity/Security_Labs#lab-1

Please have a look at the "Why is security needed?" section from the above tutorial.

Don't have an account?
Coming from Hortonworks? Activate your account here