This topic describes the configuration files of Kerberos. This topic also describes how to use a tool provided by a Key Distribution Center (KDC) server to manage principals and keytabs on the server and how to run commands on a client to manage tickets.
Prerequisites
A cluster for which Kerberos authentication is enabled is created. For more information, see Create a cluster.
You have logged on to the cluster. For more information, see Log on to a cluster.
Configuration files
krb5.conf: the configuration file of Kerberos on the client side.
krb5.conf is used to configure various settings, such as the location in which the KDC server is configured, the names of realms, and the mappings from hostnames to realms. krb5.conf is stored in the /etc/krb5.conf directory of each E-MapReduce (EMR) node.
kdc.conf: the configuration file of Kerberos on the server side.
kdc.conf is used to configure KDC-related services, such as krb5kdc, kadmind, and kdb5_util. krb5.conf is stored in the /var/kerberos/krb5kdc/kdc.conf directory of the EMR node on which the KDC server resides.
You cannot directly modify krb5.conf or kdc.conf on EMR nodes. To modify the settings in the two configuration files, log on to the EMR console and go to the Configure tab of the Kerberos service page. You can modify only some of the settings.
Basic operations
Server-side operations
Open the kadmin CLI
If you log on to the master-1-1 node on which the KDC server resides as the root user, run the following command to open the kadmin.local CLI:
kadmin.local
If you log on to a node other than the master-1-1 node or use a gateway, run the following command to open the kadmin CLI. Replace <admin-user> and <admin-password> with the actual values.
kadmin -p <admin-user> -w <admin-password>
NoteIf you use the KDC server provided by EMR, configure the parameters in the preceding command based on the following instructions:
<admin-user>
: Set the value toroot/admin
.<admin-password>
: To obtain the password of the admin account, log on to the EMR console, go to the Configure tab of the Kerberos service page, and then copy the value of the admin_pwd parameter.
Manage a principal
A principal is a unique identity in the Kerberos system to which Kerberos can assign tickets.
Create a principal
addprinc -pw <principal-password> <principal-name>
Parameters in the preceding command:
<principal-password>
: the password of the principal.<principal-name>
: the name of the principal. If a principal represents a service, the principal name is in the xxx/hostname@realm format. If a principal represents a user, the principal name is in the username@realm format.
Delete a principal
delprinc <principal-name>
Change the password of a principal
change_password <principal-name>
View all principals
listprincs
Manage a keytab
A keytab stores the keys of one or more principals. You can use the keys to obtain tickets. To export the keytab file, run the following command:
ktadd -k <keytab-path> <principal-name>
Parameters in the preceding command:
<keytab-path>
: the storage path of the keytab file.<principal-name>
: the name of the principal.
WarningEach service in an EMR cluster maintains its own principal, such as spark/hostname@realm, and the related keytab file for authentication and authorization within the service. If you modify or export the keytab file related to this type of principal, the original keytab file will become invalid, which affects the normal operation of the service. Therefore, do not modify this type of principal and disable the export of the related keytab file.
Client-side operations
A ticket is an essential part of a Kerberos system. A ticket is a credential used for authentication. You can run the following commands to manage one or more tickets:
Create a ticket
kinit -kt <keytab-path> <principal-name>
View all tickets
klist
Destroy all tickets
kdestroy
References
For more information about Kerberos and how Kerberos works, see Overview.