Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

unable to authenticate as "username" to cluster after enabling kerberos

avatar
author-rank narendra_klu9
Explorer

Created on ‎11-07-2018 01:28 PM - edited ‎09-16-2022 06:52 AM

I enabled kerbros using MIT KDC. MIT KDC has a trust setup with Active Directory. Say my AD realm was "EXAMPLE.COM" and local realm was "HADOOP.CLUSTERNAME.EXAMPLE.COM".

When i do a kinit <username>@EXAMPLE.COM, i'm able to get a kerberos ticket from the Active Directory. Now this should allow me to use hadoop as "username". However, instead it allows me to use only if i'm "username@EXAMPLE.COM".

Ex 1:

once authenticated with kerberos:

hadoop fs -put <localfile> /user/<username>/ - doesn't allow

But,

hadoop fs -mkdir /user/<username>@EXAMPLE.COM

hadoop fs -put <localfile> ---- this works

Ex 2:

hbase shell

user "username" has permission to access a table but, won't be allowed to access the table unless "username@EXAMPLE.COM" has access to table (or in other words):

after kinit <username>@EXAMPLE.COM

grant '<username>','R','tablename' --- will not allow me to access the table whereas grant '<username@EXAMPLE.COM>','R','tablename' will allow me to access the table.

2,413 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank rlevas
Guru

Created ‎11-07-2018 02:53 PM

@Narendra Neerukonda

There is a place in the Ambari UI to set "additional realms". This is a comma-delimited list of realm names that Ambari will use to generate special auth-to-local rules. For each realm, Ambari will add the following rule

RULE:[1:$1@$0](.*@REALM)s/@.*//

For your example, you will add "EXAMPLE.COM" to the additional realms field. Ambari will then add the following rule to all auth-to-local rule properties it knows about:

RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//

Then principal names like user@EXAMPLE.COM will be translated into "username" when services are perform auto-to-local rule translations.

The "Additional Realms" field is found in the administrative Kerberos view... not to be confused with the Kerberos service view.

Make sure that you have also edited the krb5.conf template that Ambari uses to generate the krb5.conf files so that the realm is known to the Kerberos infrastructure. I assume that you already did this since you are able to kinit as a user from EXAMPLE.COM. Also, make sure that you established a trust relationship between the MIT KDC and the Active Directory. Else, even though you are able to kinit, services will not trust Kerberos tokens for that user and fail authentication. Looking at the error you are seeing, I assume you did this as well since the user appears to have been authenticated.

View solution in original post

2,185 Views
0
3 REPLIES 3

avatar
author-rank rlevas
Guru

Created ‎11-07-2018 02:53 PM

@Narendra Neerukonda

There is a place in the Ambari UI to set "additional realms". This is a comma-delimited list of realm names that Ambari will use to generate special auth-to-local rules. For each realm, Ambari will add the following rule

RULE:[1:$1@$0](.*@REALM)s/@.*//

For your example, you will add "EXAMPLE.COM" to the additional realms field. Ambari will then add the following rule to all auth-to-local rule properties it knows about:

RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//

Then principal names like user@EXAMPLE.COM will be translated into "username" when services are perform auto-to-local rule translations.

The "Additional Realms" field is found in the administrative Kerberos view... not to be confused with the Kerberos service view.

Make sure that you have also edited the krb5.conf template that Ambari uses to generate the krb5.conf files so that the realm is known to the Kerberos infrastructure. I assume that you already did this since you are able to kinit as a user from EXAMPLE.COM. Also, make sure that you established a trust relationship between the MIT KDC and the Active Directory. Else, even though you are able to kinit, services will not trust Kerberos tokens for that user and fail authentication. Looking at the error you are seeing, I assume you did this as well since the user appears to have been authenticated.

2,186 Views
0

avatar
author-rank narendra_klu9
Explorer

Created ‎11-07-2018 07:38 PM

Thanks @Robert Levas This fixed it.

2,185 Views
0 Kudos

avatar
author-rank rlevas
Guru

Created ‎11-07-2018 08:16 PM

@Narendra Neerukonda Awesome... I am glad that I could help. Be sure to accept my answer to close out this issue.

2,185 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements