Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Service installed with CSD is not picking up externally managed kerberos keytab

Service installed with CSD is not picking up externally managed kerberos keytab

The service being installed needs to use another service's keytab. I have read the portion of the wiki about externalKerberosPrincipals, but it is not clear how that property should be used, or what changes other properties need to make.

I have tried the following:
1) Adding this to the roles section

       "externalKerberosPrincipals" : [
          {
            "name" : "principal1",
            "primary" : "${principal}",
	    "instance" : "${host}"
          },
	  {
            "name" : "principal2",
            "primary" : "alice",
	    "instance" : "${host}"
          }
        ]

2) Adding this to the roles.configWriter.generators

	    "kerberosPrincipals" : [
              {
                "principalName" : "bluetalon_principal",
                "propertyName" : "bluetalon.kerberos.principal",
		"external" : "true",
                "instanceWildcard" : "_HOST"
              },
	      {
                "principalName" : "bluetalon_principal2",
                "propertyName" : "bluetalon.other.kerberos.principal",
		"external" : "true",
                "instanceWildcard" : "_HOST"
              }
            ],

 

The key things that need to happen for this to work are that the principal names and keytab locations need to get added to the service's site file. The reason they can't be added statically is that the principal names depend on the host and the realm e.g. alice/hostname1@EXAMPLE.COM, and the keytab location of the external service changes every time that service is restarted.

 

Is there a way to use the sdl file to handle all of the restrictions I've mentioned?

1 REPLY 1

Re: Service installed with CSD is not picking up externally managed kerberos keytab

Cloudera Employee

Hello,

I think I've identified a couple of mistakes in the CSD sections you posted. That should be why it didn't work as expected. Please try to fix the following:

  • externalKerberosPrincipals should be declared at the service descriptor level; it seems that you have declared it in a role
  • in the config generator section, each entry should reference one of the previously defined principal names in externalKerberosPrincipals, therefore the principalName field must match the name field as declared earlier

Let me know if this solves your issue, thanks.

Don't have an account?
Coming from Hortonworks? Activate your account here