Kerberos - shaysalomon12/Data-Engineer GitHub Wiki
- There are 2 methods:
- When you have keytab file. Do a kinit using a principal who has access to hadoop. Assuming a principal name "hdp/<server_name>@REALM.COM".
$ kinit -kt <hdp.keytab file> hdp/<server_name>@REALM.COM- Use principal "[email protected]" and password
$ kinit [email protected]
Enater Password: ******$ ktutil
In the shell of ktutil write:
> addent -password -p <principal name> -k 1 -e <encryption algorithm, max AD support: “rc4-hmac”>
> wkt <keytab file location>
> quit$ klist -kt <key tab file>Run all three command on hive server and secure agent server to verify the connectivity.
- Use klist to display the keytab file entries. For example, a correctly-created keytab file should look something like this:
Syntax : klist -e -k -t <keytab-file>
Example :
[root@linux ~]# klist -e -k -t /root/kerb/hdfs.keytab
Keytab name: FILE:/root/kerb/hdfs.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 03/10/17 17:01:32 [[email protected]](mailto:[email protected]) (arcfour-hmac)
- Check if it is possible to use kinit using the principal name and keytab, to ensure that the keytab file could be used to establish a Kerberos connection as follows:
Syntax : kinit -V -k -t <keytab-file> <Principal account-name>
Example:
[root@linux ~]# kinit -V -k -t /root/kerb/hdfs.keytab [[email protected]](mailto:[email protected])
Using default cache: /tmp/krb5cc_0
Using principal: [[email protected]](mailto:[email protected])
Using keytab: /root/kerb/hdfs.keytab
Authenticated to Kerberos v5
- Run this command to see if we are able to connect using the JDBC URL.
Syntax: beeline -u <JDBC_Url>
Example : beeline -u jdbc:hive2://localhost:10000/default