Configuring Kerberos-based authentication

You can enable or disable Kerberos authentication.

Before you begin

To enable Kerberos-based authentication for the MapReduce framework:
  • The KDC must be set up on a server to issue Kerberos tickets. This reference assumes that you know how to set up a KDC and realm.
  • The Kerberos client must be installed on all management and compute hosts. Any entity (a user or a host which is not the KDC server) is considered a Kerberos client. This reference assumes that you know how to install and set up the Kerberos client.
  • Hadoop must be configured for secure HDFS. See Hadoop security configuration.

Procedure

  1. Create and deploy the IBM® Spectrum Symphony service principal and the keytab files.
    1. Based on your access, start kadmin.local on the KDC or kadmin on any machine.
      • If you have root access to the KDC server but do not have a Kerberos admin account, use kadmin.local. Enter sudo kadmin.local on the KDC and provide your Linux® password.
      • If you do not have root access to the KDC server but have a Kerberos admin account, use kadmin. Enter kadmin and provide your Kerberos admin password.
      • If you have root access to the KDC server and a Kerberos admin account, you can use either one.
    2. Create the service principal with a password that is to be used for the cluster administrator's login.

      For example:

      kadmin.local:add_principal -kvno 1 testuser/iMapReduce@EXAMPLE.COM

      Enter password for principal "testuser/iMapReduce@EXAMPLE.COM":

      Re-enter password for principal "testuser/iMapReduce@EXAMPLE.COM":

      Principal "testuser/iMapReduce@EXAMPLE.COM": created.

      kadmin.local:list_principals testuser/iMapReduce@EXAMPLE.COM

      testuser/iMapReduce@EXAMPLE.COM

    3. Generate the key table file containing the principal name using the same key version number and password.

      For example:

      $ktutil

      kutil: add_entry -password -p testuser/iMapReduce@EXAMPLE.COM -k 1 -e des3-cbc-sha1-kd

      kutil: write_kt abcuser.keytab

      Note: If your Kerberos version supports the norandkey option in the xst command, you can use the xst -norandkey command to create the keytab file. For example: xst -norandkey -k keytab_file hdfs/fully.qualified.domain.name
    4. Distribute the key table file to all hosts in the cluster to the location specified by KEYTAB in the sec_ego_kerberos.conf file.

      All hosts need access to the key tab file, either by having it locally or through a shared directory.

  2. On the primary host, edit the application profile at $PMR_HOME/version/os_type/profile/ to add the following properties:
    1. In the SSM (application manager) section, add the SSMHDFSRenewalPluginCmd attribute.
      SSM resReq="" workDir="${EGO_SHARED_TOP}/soam/work" SSMHDFSRenewalPluginCmd="path_to_plugin $HADOOP_HOME path_to_conf_file"
      where:

      path_to_plugin specifies the location of the Kerberos plug-in, which is by default at ${SOAM_HOME}/mapreduce/version/os_type/plugin/

      $HADOOP_HOME specifies the directory under which HDFS was installed.

      path_to_conf_file specifies the location of the sec_ego_kerberos.conf file defined by EGO_SEC_CONF. The sec_ego_kerberos.conf file is by default at $EGO_CONFDIR/

      For example:
      SSM workDir="${EGO_SHARED_TOP}/soam/work" SSMHDFSRenewalPluginCmd="${SOAM_HOME}/mapreduce/version/os_type/plugin/TokenRenewal4HDFS.sh $HADOOP_HOME ${EGO_CONFDIR}/sec_ego_kerberos.conf"
    2. In the Service section, configure an environment variable under osTypes > osType to define the location of the Hadoop token file. For example:
      <env name="HADOOP_TOKEN_FILE_LOCATION">${SOAM_HOME}/mapreduce/work/token/${log4cxx_autoindex}/_PMR_TOKENS</env>
    3. Register the application using the soamreg command. For example, using the default MapReduce application:

      soamreg $PMR_HOME/version/os_type/profile/MapReduce732.xml

  3. As cluster administrator, shut down the cluster from the primary host using the following commands:

    $ soamcontrol app disable all -f

    (If global standby services are enabled) $ egosh standby kill -GLOBAL all

    $ egosh service stop all

    $ egosh ego shutdown all

  4. Edit sec_ego_kerberos.conf at $EGO_CONFDIR on all hosts in the cluster.
    For example:
    REALM=EXAMPLE.COM
    PRINCIPALNAME=testuser/iMapReduce
    KEYTAB=/dev/sym_mr/kernel/conf/abcuser.keytab
  5. Edit ego.conf at $EGO_CONFDIR on all hosts in the cluster.
    For example:
    EGO_SEC_PLUGIN=sec_ego_kerberos
    EGO_SEC_CONF=/opt/ibm/spectrumcomputing/kernel/conf/
  6. Edit sd.xml at $EGO_ESRVDIR/esc/conf/services/ on all hosts in the cluster to add the KRB5RCACHETYPE environment variable under the correct operating system version:
    <ego:EnvironmentVariable name="KRB5RCACHETYPE">none</ego:EnvironmentVariable>
  7. Run the following command on the primary host to start the cluster:

    egosh ego start all

  8. Edit pmr-site.xml at $PMR_HOME/conf on all hosts in the cluster:
    1. Remove the following properties:
      • mapreduce.job.login.user
      • mapreduce.job.login.password
    2. Add the mapreduce.jobtracker.kerberos.principal property:
      For example:
      <property>
      		<name>mapreduce.jobtracker.kerberos.principal</name>
        <value>testuser/iMapReduce@EXAMPLE.COM</value>
        <description>The user to renew HDFS token.</description>
      </property>
      Note: If you are using Hadoop-2.x and YARN, use the yarn.resourcemanager.principal property. For example:
      <property>
      		<name>yarn.resourcemanager.principal</name>
      		<value>testuser/iMapReduce@EXAMPLE.COM</value>
      		<description>The user to renew HDFS token.</description>
      </property>
  9. Restart the cluster using the following commands:
    $ egosh ego restart all$ 
    soamcontrol app enable application_name
  10. Now that the Kerberos plug-in is enabled, specify your Kerberos credentials before submitting a MapReduce job.
    1. Log in to IBM Spectrum Symphony as the MapReduce cluster administrator:
      egosh user logon
      Note: Log on as Admin, and use the password assigned for the MapReduce cluster administrator (theoretically, since you have access to the key tab and the proper credentials to create an access ticket, you can use any password here).
    2. Submit a MapReduce job from the mrsh utility.

What to do next

To disable Kerberos authentication:
  1. Log on to the primary host as cluster administrator and shut down the cluster using the following commands:
    $ egosh standby kill -GLOBAL all
    $ egosh service stop all
    $ egosh ego shutdown all

    Note that you only need to run $ egosh standby kill -GLOBAL all if global services are enabled.

  2. Edit ego.conf at $EGO_CONFDIR to change EGO_SEC_PLUGIN on all hosts in the cluster:
    EGO_SEC_PLUGIN=sec_ego_default
  3. Restart the cluster using the following commands:
    $ egosh ego start all
    $ soamcontrol app enable application_name