Getting started with Kerberos on Hadoop

Hadoop
The Teradata Portfolio for Hadoop is a flexible offering of products and services for our customers to integrate Hadoop into a Teradata environment and across a broader enterprise architecture, while taking advantage of the world-class Teradata service and support. The Hadoop Channel covers the hardware and software features, tips and best practices on all the components of the Teradata Portfolio for Hadoop.
Teradata Employee

Getting started with Kerberos on Hadoop

As a Hadoop developer or administrator, enabling Kerberos is an essential step towards securing your cluster. 

 

If you are just getting started with Kerberos on Hadoop, I recommend reading the "What is Kerberos?" section of Steve Loughran's excellent "Kerberos and Hadoop" guide.

 

After enabling Kerberos on your Hadoop cluster, its recommended that you use the ‘tdatuser’ (or some other Linux user with a corresponding Kerberos principal created in the KDC) when interfacing with Hadoop from the command-line. When an MIT KDC is configured via Teradata's HCLI tool, a headless key tab will be created for the ‘tdatuser’ and will be placed in the /etc/security/keytabs/ directory.

 

Here are some example commands, executed on a CDH 5.9.0 cluster with Kerberos enabled:

 

  • Checking which principals have been created on the local MIT KDC:
    oolong1:~ # kadmin.local
    Authenticating as principal root/admin@OOLONG.HADOOP.TERADATA.COM with password.
    kadmin.local:  list_principals
    HTTP/oolong1.labs.teradata.com@OOLONG.HADOOP.TERADATA.COM
    HTTP/oolong2.labs.teradata.com@OOLONG.HADOOP.TERADATA.COM
    HTTP/oolong3.labs.teradata.com@OOLONG.HADOOP.TERADATA.COM
    HTTP/oolong4.labs.teradata.com@OOLONG.HADOOP.TERADATA.COM
    HTTP/oolong5.labs.teradata.com@OOLONG.HADOOP.TERADATA.COM
    HTTP/oolong6.labs.teradata.com@OOLONG.HADOOP.TERADATA.COM
    K/M@OOLONG.HADOOP.TERADATA.COM
    cloudera-scm/admin@OOLONG.HADOOP.TERADATA.COM
    hdfs/oolong1.labs.teradata.com@OOLONG.HADOOP.TERADATA.COM
    hdfs/oolong2.labs.teradata.com@OOLONG.HADOOP.TERADATA.COM
    hdfs/oolong3.labs.teradata.com@OOLONG.HADOOP.TERADATA.COM
    hdfs/oolong4.labs.teradata.com@OOLONG.HADOOP.TERADATA.COM
    hdfs/oolong5.labs.teradata.com@OOLONG.HADOOP.TERADATA.COM
    hdfs/oolong6.labs.teradata.com@OOLONG.HADOOP.TERADATA.COM
    hdfs@OOLONG.HADOOP.TERADATA.COM
    hive/oolong1.labs.teradata.com@OOLONG.HADOOP.TERADATA.COM
    hive/oolong2.labs.teradata.com@OOLONG.HADOOP.TERADATA.COM
    httpfs/oolong2.labs.teradata.com@OOLONG.HADOOP.TERADATA.COM
    hue/oolong1.labs.teradata.com@OOLONG.HADOOP.TERADATA.COM
    kadmin/admin@OOLONG.HADOOP.TERADATA.COM
    kadmin/changepw@OOLONG.HADOOP.TERADATA.COM
    kadmin/history@OOLONG.HADOOP.TERADATA.COM
    kadmin/oolong1.labs.teradata.com@OOLONG.HADOOP.TERADATA.COM
    krbtgt/OOLONG.HADOOP.TERADATA.COM@OOLONG.HADOOP.TERADATA.COM
    mapred/oolong2.labs.teradata.com@OOLONG.HADOOP.TERADATA.COM
    oozie/oolong1.labs.teradata.com@OOLONG.HADOOP.TERADATA.COM
    sqoop2/oolong1.labs.teradata.com@OOLONG.HADOOP.TERADATA.COM
    tdatuser@OOLONG.HADOOP.TERADATA.COM
    yarn/oolong2.labs.teradata.com@OOLONG.HADOOP.TERADATA.COM
    yarn/oolong3.labs.teradata.com@OOLONG.HADOOP.TERADATA.COM
    yarn/oolong4.labs.teradata.com@OOLONG.HADOOP.TERADATA.COM
    yarn/oolong5.labs.teradata.com@OOLONG.HADOOP.TERADATA.COM
    yarn/oolong6.labs.teradata.com@OOLONG.HADOOP.TERADATA.COM
    zookeeper/oolong1.labs.teradata.com@OOLONG.HADOOP.TERADATA.COM
    zookeeper/oolong2.labs.teradata.com@OOLONG.HADOOP.TERADATA.COM
    zookeeper/oolong3.labs.teradata.com@OOLONG.HADOOP.TERADATA.COM
  • Obtaining a ticket-granting ticket for the tdatuser principal as the tdatuser:

    oolong1:~ # su - tdatuser -c 'kinit -kt /etc/security/keytabs/tdatuser.headless.keytab tdatuser@OOLONG.HADOOP.TERADATA.COM'
  • Viewing the currently cached Kerberos tickets for the tdatuser after authentication:

    oolong1:~ # su - tdatuser -c 'klist'
    Ticket cache: FILE:/tmp/krb5cc_501
    Default principal: tdatuser@OOLONG.HADOOP.TERADATA.COM
     
    Valid starting     Expires            Service principal
    12/28/16 16:50:38  12/29/16 16:50:38  krbtgt/OOLONG.HADOOP.TERADATA.COM@OOLONG.HADOOP.TERADATA.COM
     
     
    Kerberos 4 ticket cache: /tmp/tkt501
    klist: You have no tickets cached
  • Running some very basic Hadoop-related commands as the tdatuser now that authentication with the KDC has occurred:

    oolong1:~ # su - tdatuser -c 'yarn node --list –all'
    16/12/28 16:54:46 INFO client.ConfiguredRMFailoverProxyProvider: Failing over to rm48
    Total Nodes:3
             Node-Id           Node-State      Node-Http-Address    Number-of-Running-Containers
    oolong4.labs.teradata.com:8041              RUNNING      oolong4.labs.teradata.com:8042                            0
    oolong5.labs.teradata.com:8041              RUNNING      oolong5.labs.teradata.com:8042                            0
    oolong6.labs.teradata.com:8041              RUNNING      oolong6.labs.teradata.com:8042                            0 
    oolong1:~ #su - tdatuser -c 'hdfs dfs -ls /'
    Found 2 items
    drwxrwxrwt   - hdfs supergroup          0 2016-12-15 07:37 /tmp
    drwxr-xr-x   - hdfs supergroup          0 2016-12-15 07:37 /user