Creating Kerberos principals for client authentication

Create the principals and keytab files to enable Kerberos authentication for the cluster management console.

Before you begin

Review the Prerequisites for Kerberos authentication for Kerberos authentication.

About this task

This task uses examples to illustrate a basic Kerberos scenario and makes the following assumptions about your IBM Spectrum Conductor cluster; ensure that you modify this task as it applies to your production cluster:
  • IBM Spectrum Conductor is installed on your hosts using a non-root cluster administrator account; for example, egoadmin. This account is specified as the CLUSTERADMIN environment variable during installation.
  • Your cluster uses different user accounts to manage IBM Spectrum Conductor and deploy instance groups. In this case, you must also create principals for these accounts, so you can use Kerberos credentials to access the cluster management console and the egosh command line using these user accounts. These user accounts must already be added to the system (see Creating a user account).
    The following user accounts are used as examples:
    • consumer_exec_user is the OS user account specified as the execution user for a consumer. This execution user is specified when a consumer is created or updated.
    • sig_exec_user is the execution user specified for an instance group. This execution user is specified when an instance group is created.
    • notebook_exec_user is the user specified for a notebook that is associated with an instance group. This user is assigned to the notebook after the associated instance group is created.
    Note: If you use IBM Spectrum Scale with IBM Spectrum Conductor, you can enable Kerberos authentication for users accessing the IBM Spectrum Scale cluster in the OS integrating with Kerberos.

Procedure

  1. Start the kadmin.local command-line interface on the KDC server.
    Note: If you have root access to your KDC machine, log in to the KDC server as root and use the kadmin.local command-line interface to generate principals and keytabs. If you do not have root access to the KDC server, use the kadmin command-line interface on any Kerberos configured machine to generate principals and keytabs.
    kadmin.local
  2. Create a principal for the VEMKD process on the primary host as vemkd/cluster_name@KERBEROS_REALM. For example: 
    kadmin.local: addprinc vemkd/cluster1@EXAMPLE.COM
  3. Create the keytab file containing entries for the vemkd/cluster_name@KERBEROS_REALM principal. For example: 
    kadmin.local: ktadd -k /tmp/vemkd.keytab –norandkey vemkd/cluster1@EXAMPLE.COM
    Important: The keytab file contains encrypted keys that are derived from the Kerberos password. Anytime you update the Kerberos password, you must recreate all your keytab files. Anyone with read permission on a keytab file can use all of the keys it contains. Therefore, ensure that you restrict and monitor permissions on the keytab files you create.
  4. Copy the vemkd.keytab file securely to the $EGO_TOP/kernel/conf/ directory on all hosts in the cluster.
  5. Ensure that the vemkd.keytab is readable by the cluster administrator (egoadmin, in this example). Check if permissions on the keytab file are set to 600.
  6. If required, create principals for the different users that manage IBM Spectrum Conductor and deploy instance groups.

    This example creates principals for egoadmin (cluster administrator), consumer_exec_user (OS user account specified as the consumer user), sig_exec_user (instance group execution user), and notebook_exec_user (notebook user):

    kadmin.local: addprinc egoadmin
kadmin.local: addprinc consumer_exec_user
kadmin.local: addprinc sig_exec_user
kadmin.local: addprinc notebook_exec_user

    When prompted to enter the password, create a password for the principal of the user in Kerberos. The password will be used for user logon to the OS kernel once it is configured with Kerberos authentication.

  7. Confirm the principals you created. 
    kadmin.local: listprincs
  8. Try accessing the Kerberos administration system using the newly created principals (with and without keytabs). For example: 
    kadmin -p vemkd/cluster1@EXAMPLE.COM -kt /tmp/vemkd.keytab 
quit 

kadmin -p egoadmin@EXAMPLE.COM
quit

What to do next

After creating the principals, set up the configuration to use the sec_ego_kerberos security plug-in. See Configuring the sec_ego_gsskrb plug-in for Spark workload.
Tip: If you want to add Kerberos principals as consumer users, you must explicitly add them to the EGO user namespace. To add users to the EGO user namespace, run the egosh user add command or use the cluster management console. The user namespace is maintained in the $EGO_CONFDIR/users.xml file.