Hadoop and trusted MiTv5 Kerberos with Active Directory
For actuality here a example how to enable an MiTv5 Kerberos <=> Active Directory trust just from scratch. Should work out of the box, just replace the realms:
HADOOP1.INTERNAL = local server (KDC)
ALO.LOCAL = local kerberos realm
AD.REMOTE = AD realm
with your servers. The KDC should be inside your hadoop network, the remote AD can be somewhere.
1. Install the bits
At the KDC server (CentOS, RHEL - other OS' should have nearly the same bits):
yum install krb5-server krb5-libs krb5-workstation -y
At the clients (hadoop nodes):
yum install krb5-libs krb5-workstation -y
Install Java's JCE policy (see Oracle documentation) on all hadoop nodes.
2. Configure your local KDC
/etc/krb5.conf
[libdefaults]
default_realm = ALO.LOCAL[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
max_life = 1d
max_renewable_life = 7d
renew_lifetime = 7d
default_tgs_enctypes = aes128-cts arcfour-hmac
default_tkt_enctypes = aes128-cts arcfour-hmac
[realms]
ALO.LOCAL = {
kdc = hadoop1.internal:88
admin_server = hadoop1.internal:749
max_life = 1d
max_renewable_life = 7d
}
AD.REMOTE = {
kdc = ad.remote.internal:88
admin_server = ad.remote.internal:749
max_life = 1d
max_renewable_life = 7d
}
[domain_realm]
alo.local = ALO.LOCAL
.alo.local = ALO.LOCAL
ad.internal = AD.INTERNAL
.ad.internal = AD.INTERNAL
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
<property>
<name>hadoop.security.auth_to_local</name>
<value>RULE:[1:$1@$0](.*@\QAD.REMOTE\E$)s/@\QAD.REMOTE\E$//
RULE:[2:$1@$0](.*@\QAD.REMOTE\E$)s/@\QAD.REMOTE\E$//
DEFAULT</value>
</property>
Done. Now you should be able to get an ticket from your AD which let you work with your hadoop installation:
#> kinit alo.alt@AD.REMOTE
password:
#> klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: alo.alt@AD.REMOTE
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
/var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
kdc_tcp_ports = 88
[realms]
ALO.LOCAL = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
/var/kerberos/krb5kdc/kadm5.acl
*/admin@ALO.ALT *
Create the realm on your local KDC and start the services
kdb5_util create -s -r ALO.LOCAL
ksetup /SetEncTypeAttr ALO.LOCAL RC4-HMAC-MD5 AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96 DES-CBC-CRC DES-CBC-MD5
Create the realm on your local KDC and start the services
kdb5_util create -s -r ALO.LOCAL
service kadmin restart
service krb5kdc restart
chkconfig kadmin on
chkconfig krb5kdc on
service krb5kdc restart
chkconfig kadmin on
chkconfig krb5kdc on
Create the admin principal
kadmin.local -q "addprinc root/admin"
3. Create the MiTv5 trust in AD
Using the Windows - Power(!sic) - Shell
ksetup /addkdc ALO.LOCAL HADOOP1.INTERNAL
netdom trust ALO.LOCAL /DOMAIN: AD.REMOTE /add /realm /passwordt: passw0rdksetup /addkdc ALO.LOCAL HADOOP1.INTERNAL
ksetup /SetEncTypeAttr ALO.LOCAL RC4-HMAC-MD5 AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96 DES-CBC-CRC DES-CBC-MD5
=> On Windows 2003 this works, too:
ktpass /ALO.LOCAL /DOMAIN:AD.REMOTE /TrustEncryp aes128-cts arcfour-hmac
ktpass /ALO.LOCAL /DOMAIN:AD.REMOTE /TrustEncryp aes128-cts arcfour-hmac
=> On Windows 2008 you have to add:
ksetup /SetEncTypeAttr ALO.LOCAL aes128-cts arcfour-hmac
ksetup /SetEncTypeAttr ALO.LOCAL aes128-cts arcfour-hmac
4. Create the AD trust in MiTv5
kadmin.local: addprinc krbtgt/ALO.LOCAL@AD.REMOTE
password: passw0rdkadmin.local: addprinc krbtgt/ALO.LOCAL@AD.REMOTE
5. Configure hadoop's mapping rules
core-site.xml
<property>
<name>hadoop.security.auth_to_local</name>
<value>RULE:[1:$1@$0](.*@\QAD.REMOTE\E$)s/@\QAD.REMOTE\E$//
RULE:[2:$1@$0](.*@\QAD.REMOTE\E$)s/@\QAD.REMOTE\E$//
DEFAULT</value>
</property>
Done. Now you should be able to get an ticket from your AD which let you work with your hadoop installation:
#> kinit alo.alt@AD.REMOTE
#> klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: alo.alt@AD.REMOTE
Nice blog thanks for sharing.
ReplyDelete