Configuring Kerberos

Describes how Kerberos works with HPE Ezmeral Data Fabric tickets.

HPE Ezmeral Data Fabric does not directly support Kerberos. However, Kerberos is indirectly supported through the HPE Ezmeral Data Fabric login utility, which is used to generate HPE Ezmeral Data Fabric tickets. This topic describes how Kerberos works with HPE Ezmeral Data Fabric tickets.

Kerberos Compatibility with RHEL 8

If you install Kerberos out of the box with RHEL 8, it uses a new and default Kerberos Cache Manager (KCM) credentials cache type, which fails to work with the maprlogin kerberos command. To resolve this issue, disable KCM.

Open the file /etc/krb5.conf.d/kcm_default_ccache, and comment out the following lines:

[libdefaults]
        default_ccache_name = KCM:             

Alternatively, remove this file.

Configuring Kerberos for Authentication Using HPE Ezmeral Data Fabric Tickets

To use Kerberos to generate HPE Ezmeral Data Fabric tickets for users, enable Kerberos on CLDB. Do so by creating a Kerberos identity on the Kerberos server used by the cluster and distributing that identity to the other CLDB nodes in the cluster.

NOTE
You must enable wire-level security on your clusters before using Kerberos. See Enabling Wire-level Security.

HPE Ezmeral Data Fabric clusters do not provide Kerberos infrastructure. This section assumes you have a functioning Kerberos realm and your systems have the Kerberos client installed. The tips in this section assume a Linux-based Kerberos environment. The specific commands for your environment may vary. Please consult with your Kerberos administrator for assistance.

IMPORTANT
If you are using strong encryption with Kerberos with the Oracle JDK, a new Java Cryptography Extension (JCE) policy file is required.

Creating a Kerberos Identity for the CLDB

The CLDB requires a Kerberos server identity, but no other nodes do. By default, this identity takes the mapr/<cluster name> form . Use configure.sh or edit the mapr-clusters.conf file to change this default. Use the following commands in a Linux-based Kerberos environment to set up the identity:

kadmin
        : addprinc -randkey mapr/my.cluster.com
        : ktadd -k /opt/mapr/conf/mapr.keytab mapr/my.cluster.com

Copy the resulting mapr.keytab file to the same location on every CLDB node. The mapr.keytab file must be owned and readable only by the mapr user. Optionally specify the location of the mapr.keytab file in the conf/mapr.login.conf file. The default location for mapr.keytab is /opt/mapr/conf.

Updating the keytab File

Use the kadmin tool to update the server keys that are stored in the keytab file. Because the server tickets used to authenticate to the CLDB use the new keys immediately, you must copy the new keytab file to all the CLDB servers in the cluster immediately after updating the server keys.

To update the keytab file with a new key, run the following command:

kadmin
        : ktadd -k /opt/mapr/conf/mapr.keytab mapr/my.cluster.com

The CLDB automatically detects changes to the keytab file on systems that use Java 7 or later. Systems that use Java 6 require a CLDB restart to detect changes to the keytab file.

NOTE
Starting with the 4.0.1 release of the MapR software, Java 6 is deprecated in favor of Java 7 and Java 8.

Running configure.sh

After a Kerberos principal is created for the CLDB, it is added to the mapr.keytab file and the mapr.keytab file is copied to all the CLDB servers, Kerberos user authentication is then fully enabled for the HPE Ezmeral Data Fabric cluster.

Two configure.sh parameters are important for Kerberos:

  • -K|-kerberosEnable—lets the rest of the cluster know that Kerberos is enabled, so that clients can auto detect Kerberos tickets and use them to get HPE Ezmeral Data Fabric tickets.
  • -P "<cldbPrincipal>"—specifies the Kerberos instance which is used to form the CLDB Kerberos principal in the form of mapr/<instance-name>@<realm-name>. Enclose this value in quotes (").
Run configure.sh on each HPE Ezmeral Data Fabric cluster node and on each HPE Ezmeral Data Fabric client node that will communicate with one or more clusters. For more information, see configure.sh.
configure.sh -K -P "<cldbPrincipal>" 

Running configure.sh on each node enters the Kerberos information into the local clusters.conf file, so that the following command is all that is required for the client to access the cluster:

hadoop fs -ls
If you do not run configure.sh on each node, the following two commands are required from the client:
maprlogin kerberos
hadoop fs -ls

Kerberos Command Summary

  • kinit: Creates a Kerberos ticket. Prompts the user for the userid and password. After validating, Kerberos creates a ticket file in /tmp which is owned by the user. Use the -R option to renew an existing ticket. Kerberos credentials expire in 8-10 hours. Expired credentials must be renewed or replaced. By default, tickets can be renewed for up to 24 hours.
  • klist: Lists the contents of the user's ticket file.
  • kdestroy: Destroys the contents of the user's ticket file. The user is no longer authenticated.
  • kadmin: Used to administer Kerberos. The login for this command is implicitly <userid>/admin since administrator IDs typically end in /admin.
  • ktutil: As the Kerberos keytab maintenance utility, combines or alters Kerberos keytabs.

Disabling Replay Detection for Kerberos Authentication

You can set an option, as shown below, in mapr-clusters.conf file to disable replay detection for Kerberos runtime authentication.

disableReplayDetection=true

By default, this parameter is set to false, meaning that HPE Ezmeral Data Fabric clients enable Kerberos replay detection. Replay detection is enabled to prevent potential attacks, such as the replay of Kerberos packets or multiple login attempts with the same user ID. Set this parameter to true only if you do not want HPE Ezmeral Data Fabric clients to enforce this detection.

This parameter applies if users attempt an implicit or explicit maprlogin, using the maprlogin kerberos command, or by submitting jobs and other operations with kerberosEnable=true set in the mapr-clusters.conf file.

This parameter is used if applications connect to the cluster using Kerberos. mapr-clusters.conf only needs to be updated if it is used by such applications. If all Kerberos access to the cluster is from clients outside the cluster, only the mapr-clusters.conf file on those client machines must be updated. If Kerberos is used from applications running on the cluster, mapr-clusters.conf file should be updated there as well.