Cross-realm mutual trust - E-MapReduce - Alibaba Cloud Documentation Center

This topic describes how to implement cross-realm mutual trust for Kerberos clusters. This helps with access between Kerberos clusters across realms.

Procedure

In this topic, cross-realm mutual trust is implemented to realize cross-realm access from the Cluster-A cluster to a service of the Cluster-B cluster. The access can be realized only after the cross-realm mutual trust is implemented and the Cluster-A cluster obtains a Ticket Granting Ticket (TGT) from its Key Distribution Center (KDC) server. In the following steps, the cross-realm mutual trust is implemented for only one-way access. To realize cross-realm access from the Cluster-B cluster to a service of the Cluster-Acluster, exchange the configurations of the two clusters when you perform the following steps:

Step 1: Make preparations
Step 2: Create a Principal for cross-realm authentication
Step 3: Modify the krb5.conf file
Step 4: Access a service of the Cluster-B cluster

Step 1: Make preparations

On the Configure tab of the Kerberos service page in the Cluster-A cluster, click the krb5.conf subtab and obtain the values of the kdc_hosts and realm parameters. The two parameters indicate the hostname and the realm of the cluster. Repeat the operation for the Cluster-B cluster. In this topic, the following information about hostnames and realms is obtained:

The Cluster-A cluster:
- Hostname: master-1-1.1234.cn-hangzhou.emr.aliyuncs.com
- Realm: EMR.1234.COM
The Cluster-B cluster:
- Hostname: master-1-1.6789.cn-hangzhou.emr.aliyuncs.com
- realm: EMR.6789.COM

Step 2: Create a Principal for cross-realm authentication

Log on to the master-1-1 node in the Cluster-A cluster in SSH mode.
Run the following command as the root user to create a Principal for cross-realm authentication for Cluster-A:
```
kadmin.local -q "addprinc -pw 123456 krbtgt/EMR.6789.COM@EMR.1234.COM"
```
Parameters in the command:
- 123456: the initial password, which can be customized.
- EMR.1234.COM: the realm of the Cluster-A cluster.
- EMR.6789.COM: the realm of the Cluster-B cluster.
Log on to the master-1-1 node in the Cluster-B cluster and repeat the preceding operations to create a Principal for cross-realm authentication for Cluster-B.

Step 3: Modify the krb5.conf file

On the Configure tab of the Kerberos service page in the Cluster-A cluster, click the krb5.conf subtab and modify the following settings:

other_realms

EMR.C-BE49B6BBAEEA****.COM = {
  kdc = 192.168.xx.xx:88
  admin_server = 192.168.xx.xx:749
}

domains

.1234.cn-hangzhou.emr.aliyuncs.com = EMR.1234.COM
.6789.cn-hangzhou.emr.aliyuncs.com = EMR.6789.COM

capaths

EMR.1234.COM = {
   EMR.6789.COM = .
}
EMR.6789.COM = {
   EMR.1234.COM = .
}

After you modify the settings, click Save and then Deploy Client Configuration at the bottom of the subtab.

Note If you want to run jobs in the Cluster-A cluster that involve access to the Cluster-B cluster, restart YARN in the Cluster-B cluster.

Step 4: Access a service of the Cluster-B cluster

After the Cluster-A cluster obtains a TGT from its KDC server, you can access a service of the Cluster-B cluster from the Cluster-A cluster.

Create a Principal for a test and generate a ticket.

kadmin.local -q  "addprinc -pw 123456 test"
kinit test

Access the Hadoop Distributed File System (HDFS) service of the Cluster-B cluster from the Cluster-A cluster.
```
hdfs dfs -ls hdfs://master-1-1.6789.cn-hangzhou.emr.aliyuncs.com:9000/
```