Kerberos Installation Example - Cloudera

Note

This document was developed by going through these steps in a base CDH Sandbox 5.4, not the newer Kylo sandbox on Cloudera distribution.

Important

This document should only be used for DEV/Sandbox purposes. It is useful to help quickly Kerberize your Cloudera sandbox so that you can test Kerberos features.

Prerequisite

Java

All client node should have java installed on it.

$ java -version
version  "1.7.0_80"
Java(TM) SE Runtime Environment (build 1.7.0_80-b15)
Java HotSpot(TM) 64-Bit Server VM (build 24.80-b11, mixed mode)

$ echo $JAVA_HOME
/usr/java/jdk1.7.0_80

Install Java Cryptography Extensions (JCE)

sudo wget -nv --no-check-certificate --no-cookies --header "Cookie:oraclelicense=accept-securebackup-cookie" http://download.oracle.com/otn-pub/java/jce/7/UnlimitedJCEPolicyJDK7.zip -O /usr/java/jdk1.7.0_80/jre/lib/security/UnlimitedJCEPolicyJDK7.zip

cd /usr/java/jdk1.7.0_80/jre/lib/security

sudo unzip UnlimitedJCEPolicyJDK7.zip

sudo cp UnlimitedJCEPolicy/* .

#sudo rm -r UnlimitedJCEPolicy*

ls -l

Test Java Cryptography Extension

Create a java Test.java and paste below mentioned code in it.

$ vi Test.java

import javax.crypto.Cipher;
class Test {
public static void main(String[] args) {
try {
  System.out.println("Hello World!");
  int maxKeyLen = Cipher.getMaxAllowedKeyLength("AES");
  System.out.println(maxKeyLen);
} catch (Exception e){
  System.out.println("Sad world :(");
}
}
}
Compile:
$ javac Test.java
Run test, the expected number is: 2147483647
$ java Test
Hello World!
2147483647

Install Kerberos

On a cluster, go to the master node for installation of Kerberos utilities.

  1. Install a new version of the KDC server:
yum install krb5-server krb5-libs krb5-workstation
  1. Using a text editor, open the KDC server configuration file, located by default here:
vi /etc/krb5.conf
  1. Change the [realms] as below to “quickstart.cloudera” . Update KDC and Admin Server Information.
[logging]
   default = FILE:/var/log/krb5libs.log
   kdc = FILE:/var/log/krb5kdc.log
   admin_server = FILE:/var/log/kadmind.log

[libdefaults]
   default_realm = quickstart.cloudera
   dns_lookup_realm = false
   dns_lookup_kdc = false
   ticket_lifetime = 24h
   renew_lifetime = 7d
   forwardable = true

[realms]
   quickstart.cloudera = {
     kdc = quickstart.cloudera
     admin_server = quickstart.cloudera
   }
  1. Update /var/kerberos/krb5kdc/kdc.conf. Change the [realms] as “quickstart.cloudera”.
[kdcdefaults]
   kdc_ports = 88
   kdc_tcp_ports = 88

[realms]
   quickstart.cloudera = {
     #master_key_type = aes256-cts
     acl_file = /var/kerberos/krb5kdc/kadm5.acl
     dict_file = /usr/share/dict/words
     admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
     supported_enctypes = aes256-cts:normal aes128-cts:normal
     des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal
     des-cbc-md5:normal des-cbc-crc:normal
   }
  1. Update /var/kerberos/krb5kdc/kadm5.acl and replace EXAMPLE.COM with “quickstart.cloudera”.
*/admin@quickstart.cloudera  *
  1. Create the Kerberos Database. Use the utility kdb5_util to create the Kerberos database. While asking for password , enter password as thinkbig.
kdb5_util create -s
  1. Start the KDC. Start the KDC server and the KDC admin server.
/etc/rc.d/init.d/krb5kdc start
/etc/rc.d/init.d/kadmin start

Note

When installing and managing your own MIT KDC, it is very important to set up the KDC server to auto start on boot.

chkconfig krb5kdc on
chkconfig kadmin on
  1. Create a KDC admin by creating an admin principal. While asking for password , enter password as thinkbig.
kadmin.local -q "addprinc admin/admin"
  1. Confirm that this admin principal has permissions in the KDC ACL. Using a text editor, open the KDC ACL file:
vi /var/kerberos/krb5kdc/kadm5.acl
  1. Ensure that the KDC ACL file includes an entry so to allow the admin principal to administer the KDC for your specific realm. The file should have an entry:
*/quickstart.cloudera*
  1. After editing and saving the kadm5.acl file, you must restart the kadmin process.
/etc/rc.d/init.d/kadmin restart
  1. Create a user in the linux by typing below. We will use this user to test whether the Kerberos authentication is working or not. We will first run the command hadoop fs ls / but switching to this user. And we will run the same command again when we enable Kerberos.
adduser testUser
su testUser
hadoop fs ls /

Install Kerberos on Cloudera Cluster

  1. Login to Cloudera Manager and Select Security option from Administration tab.

    image1

  2. Click on Enable Kerberos.

    image2

  3. Select each item and click on continue.

    image3

  4. The Kerberos Wizard needs to know the details of what the script configured. Fill in the entries as follows and click continue.

KDC Server Host: quickstart.cloudera
Kerberos Security Realm: quickstart.cloudera
Kerberos Encryption Types: aes256-cts-hmac-sha1-96
image4
  1. Select checkbox Manage krb5.conf through cloudera manager.

    image5

  2. Enter username and password for of KDC admin user.

Username : admin/admin@quickstart.cloudera
Password : thinkbig

The next screen provides good news. It lets you know that the wizard was able to successfully authenticate.

image6

  1. Select “I’m ready to restart the cluster now” and click on continue.

    image7

  2. Make sure all services started properly. Kerberos is successfully installed on cluster.

KeyTab Generation

  1. Create a keytab file for Nifi user.
kadmin.local
addprinc -randkey nifi@quickstart.cloudera
xst -norandkey -k /etc/security/nifi.headless.keytab nifi@quickstart.cloudera
exit

chown nifi:hadoop /etc/security/keytabs/nifi.headless.keytab
chmod 440 /etc/security/keytabs/nifi.headless.keytab

[Optional] You can initialize your keytab file using below command.

kinit -kt /etc/security/keytabs/nifi.headless.keytab nifi