Describes how Kerberos works with HPE Ezmeral Data Fabric tickets.
HPE Ezmeral Data Fabric does not directly support Kerberos. However, Kerberos is indirectly supported through the HPE Ezmeral Data Fabric login utility, which is used to generate HPE Ezmeral Data Fabric tickets. This topic describes how Kerberos works with HPE Ezmeral Data Fabric tickets.
When you install Kerberos out of the box with RHEL 8, it uses the new default Kerberos
Cache Manager (KCM) credentials cache type, which fails to work with the maprlogin
kerberos command. To resolve this issue, disable KCM.
Open the file /etc/krb5.conf.d/kcm_default_ccache and comment out the
following lines:
[libdefaults]
default_ccache_name = KCM: Alternatively, remove this file.
To use Kerberos to generate HPE Ezmeral Data Fabric tickets for users, enable Kerberos on CLDB by creating a Kerberos identity on the Kerberos server used by the cluster and distributing that identity to the other CLDB nodes in the cluster.
HPE Ezmeral Data Fabric clusters do not provide Kerberos infrastructure. This section assumes you have a functioning Kerberos realm and your systems have the Kerberos client installed. The tips in this section assume a Linux-based Kerberos environment, and the specific commands for your environment may vary. Please consult with your Kerberos administrator for assistance.
The CLDB requires a Kerberos server identity, but no other nodes do. By default, this
identity takes the form mapr/<cluster name>. You can use configure.sh or edit the
mapr-clusters.conf file to change this default. Use the following
commands in a Linux-based Kerberos environment to set up the identity:
kadmin
: addprinc -randkey mapr/my.cluster.com
: ktadd -k /opt/mapr/conf/mapr.keytab mapr/my.cluster.comCopy the resulting mapr.keytab file to the same location on every CLDB
node. The mapr.keytab file must be owned and readable only by the
mapr user. You can specify the location of the
mapr.keytab file in the conf/mapr.login.conf file. The
default location for mapr.keytab is /opt/mapr/conf.
You can use the kadmin tool to update the server keys that are stored in
the keytab file. Because the server tickets used to authenticate to the CLDB use the new
keys immediately, you must copy the new keytab file to all the CLDB servers in the cluster
immediately after updating the server keys.
To update the keytab file with a new key, run the following command:
kadmin
: ktadd -k /opt/mapr/conf/mapr.keytab mapr/my.cluster.comThe CLDB automatically detects changes to the keytab file on systems that use Java 7 or later. Systems that use Java 6 require a CLDB restart to detect changes to the keytab file.
After a Kerberos principal is created for the CLDB, that principal is added to the
mapr.keytab file, and the mapr.keytab file is copied to
all the CLDB servers, Kerberos user authentication is fully enabled for the HPE Ezmeral Data Fabric cluster.
Two configure.sh parameters are important for Kerberos:
-K|-kerberosEnable — lets the rest of the cluster know that Kerberos is
enabled, so that clients can auto detect Kerberos tickets and use them to get HPE Ezmeral Data Fabric tickets.-P "<cldbPrincipal>" — specifies the Kerberos instance which is used
to form the CLDB Kerberos principal in the form of
mapr/<instance-name>@<realm-name>. Enclose this value in quotes
("). configure.sh on each HPE Ezmeral Data Fabric cluster node, and
on each HPE Ezmeral Data Fabric client node that will communicate
with one or more clusters. For more information, see configure.sh.
configure.sh -K -P "<cldbPrincipal>" Running configure.sh on each node enters the Kerberos information into the
local clusters.conf file, so that the following command is all that is
required for the client to access the cluster:
hadoop fs -lsconfigure.sh on each node, the following two commands
are required from the client:maprlogin kerberos
hadoop fs -ls/tmp that is owned by the
user. Use the -R option to renew an existing ticket. Kerberos credentials
expire in 8-10 hours. Expired credentials must be renewed or replaced. By default, tickets
can be renewed for up to 24 hours.<userid>/admin, since administrator IDs typically end in
/admin.You can set an option in mapr-clusters.conf file to disable replay
detection for Kerberos runtime authentication.
disableReplayDetection=trueBy default, this parameter is set to false, meaning that HPE Ezmeral Data Fabric clients enable Kerberos replay detection. Typically, replay detection
is enabled to prevent potential attacks such as the replay of Kerberos packets or multiple
login attempts with the same user ID. Set this parameter to true only if
you want HPE Ezmeral Data Fabric clients not to enforce this
detection.
This parameter applies when users attempt an implicit or explicit
maprlogin, such as by using the maprlogin kerberos
command or by submitting jobs and other operations with kerberosEnable=true
set in the mapr-clusters.conf file.
This parameter is used when applications connect to the cluster using Kerberos;
mapr-clusters.conf only needs to be updated when it is used by such
applications. If all Kerberos access to the cluster is from clients outside the cluster,
only the mapr-clusters.conf file on those client machines has to be
updated. If Kerberos is used from applications running on the cluster,
mapr-clusters.conf file should be updated there as well.