Configure AD user authentication for Kerberos
Where you have a Hadoop environment configured with Kerberos security, you can configure it to authenticate against the ECS AD domain.
Make sure you have an AD user for your ADREALM. The user "detscr" for ADREALM CAMBRIDGE.ACME.COM is used in the example below. Create a one-way trust between the KDCREALM and the ADREALM as shown in the example. Do not try to validate this realm using "netdom trust".
On Active Directory
You must set up a one-way cross-realm trust from the KDC realm to the AD realm. To do so, run the following commands at a command prompt.
ksetup /addkdc KDC-REALM <KDC hostname>
netdom trust KDC-REALM /Domain:AD-REALM /add /realm /passwordt:<TrustPassword>
ksetup /SetEncTypeAttr KDC-REALM <enc_type>
For example:
ksetup /addkdc LSS.EMC.COM lcigb101.lss.emc.com
netdom trust LSS.ACME.COM /Domain:CAMBRIDGE.ACME.COM /add /realm /passwordt:ChangeMe
ksetup /SetEncTypeAttr LSS.ACME.COM DES-CBC-CRC
For this example, encryption des-cbc-crc was used. However, this is a weak encryption that was only chosen for demonstration purposes. Whatever encryption you choose, the AD, KDC, and clients must support it.
On your KDC (as root)
To set up a one-way trust, you will need to create a "krbtgt" service principal. To do so, the name is krbtgt/KDC-REALM@AD-REALM. Give this the password ChangeMe, or whatever you specified to the /passwordt argument above.
-
On KDC (as root)
# kadmin
kadmin: addprinc -e "des-cbc-crc:normal" krbtgt/LSS.ACME.COM@CAMBRIDGE.ACME.COM
NOTE: When deploying, it is best to limit the encryption types to the one you chose. Once this is working, additional encryption types can be added.
-
Add the following rules to your
core-site.xml hadoop.security.auth_to_local property:
RULE:[1:$1@$0](^.*@CAMBRIDGE\.ACME\.COM$)s/^(.*)@CAMBRIDGE\.ACME\.COM$/$1/g
RULE:[2:$1@$0](^.*@CAMBRIDGE\.ACME\.COM$)s/^(.*)@CAMBRIDGE\.ACME\.COM$/$1/g
- Verify that AD or LDAP is correctly setup with the Kerberos (KDC) server. User should be able to "kinit" against an AD user and list local HDFS directory.
NOTE: If you are configuring your Hadoop cluster and ECS to authenticate through an AD, create local Linux user accounts on all Hadoop nodes for the AD user you will be kinit'ed as, and also make sure that all Hadoop host are kinit'ed using that AD user. For example, if you kinit as userX@ADREALM, create userX as a local user on all Hadoop hosts, and kinit using: 'kinit userX@ADREALM' on all hosts for that user.
In the example below, we will authenticate as "kinit detscr@CAMBRIDGE.EMC.COM", so will create a user called "detscr" and kinit as this user on the Hadoop host. As shown below:
[root@lviprb159 ~]# su detscr
[detscr@lviprb159 root]$ whoami
detscr
[detscr@lviprb159 root]$ kinit detscr@CAMBRIDGE.ACME.COM
Password for detscr@CAMBRIDGE.ACME.COM:
[detscr@lviprb159 root]$ klist
Ticket cache: FILE:/tmp/krb5cc_1010
Default principal: detscr@CAMBRIDGE.ACME.COM
Valid starting Expires Service principal
12/22/14 14:28:27 03/02/15 01:28:30 krbtgt/CAMBRIDGE.ACME.COM@CAMBRIDGE.ACME.COM
renew until 09/17/17 15:28:27
[detscr@lviprb159 root]$ hdfs dfs -ls /
Found 4 items
drwx---rwx - yarn hadoop 0 2014-12-23 14:11 /app-logs
drwx---rwt - hdfs 0 2014-12-23 13:48 /apps
drwx---r-x - mapred 0 2014-12-23 14:11 /mapred
drwx---r-x - hdfs 0 2014-12-23 14:11 /mr-history