Configuration parameters for Kerberos
Edit the sec_ego_kerberos.conf configuration file used by the Kerberos plug-in within the MapReduce framework in IBM® Spectrum Symphony.
Kerberos parameters
Edit the sec_ego_kerberos.conf configuration file used by the Kerberos plug-in within the MapReduce framework. Ensure that you edit this file on all hosts in the cluster.
The sec_ego_kerberos.conf file defines key-value pairs and is under
$EGO_CONFDIR (Linux®) or
%EGO_CONFDIR (Windows). The
configuration parameters are as follows:
Key | Description and value |
---|---|
REALM | Specifies the Kerberos realm, which is a logical network served by a single Kerberos database and a set of KDCs; for example, EXAMPLE.COM |
PRINCIPALNAME | Specifies a string that names an entity to which a set of
credentials may be assigned. We recommend that you configure this string as
NameNodeConsumer/cluster_name; for example,
testuser/iMapReduce. Important: The principal name that you specify as the service
principal maps to the user name of the cluster administrator (Admin). All other user names
within the MapReduce framework map to and from the principal names using the full name. For example,
user@REALM.COM is mapped to user (and vice versa); user/consumeradmin@REALM.COM is mapped to
user/consumeradmin.
|
KEYTAB | Specifies the location of the key table file containing one or more keys for the service principal; for example, /dev/sym_mr/kernel/conf/abcuser.keytab. |
KRB5CACHE (optional) | Specifies the location of the Kerberos credential cache.
Kerberos will append
|
KINITDIR (optional) | Specifies the location of the kinit executable, which by default is /usr/bin. |
EGO parameters
Edit the ego.conf configuration file, which is located at
$EGO_CONFDIR (Linux) or
%EGO_CONFDIR (Windows). Ensure that
you edit this file on all hosts in the cluster.
Parameter | Description |
---|---|
EGO_SEC_PLUGIN | Specifies the security mechanism to use when connecting to the IBM Spectrum Symphony cluster. For Kerberos authentication, use sec_ego_kerberos. |
EGO_SEC_CONF | Specifies the location of the sec_ego_kerberos.conf file for the Kerberos plug-in. The configuration file is at $EGO_CONFDIR. |
Session Director parameters
Edit the sd.xml service definition file, which is at
$EGO_CONFDIR/../../eservice/esc/conf/services/:
Parameter | Description |
---|---|
KRB5RCACHETYPE | Specifies the default replay cache type. For Kerberos authentication, use none. |