Getting Started with Kerberos

Overview

This getting started gives some clues to start working with Kerberos.

It describes how to create the Kerberos Metadata, that centralize the Kerberos information, such as the various principals and keytabs.

These information are then used in the other components that supports Kerberos authentication.

Create the Metadata

To create a Kerberos Metadata, launch the Metadata creation wizard, select the Kerberos Metadata in the list and follow the wizard.

Then, configure the server and principals properties.

Server Properties

The server node is the root node of the Metadata.

It represents the global Kerberos properties shared with all the principals.

Below, an example of a server node:

getting started kerberos server node overview

The following server properties are available.

Property Description Example

Kerberos Configuration File Path

Path to the Kerberos configuration file.
This is a file usually named krb5.conf and which contains the location of the Kerberos server and necessary information to perform the Kerberos connection.

This property is mandatory.

This is used to define a property that is global and unique on the running Java Virtual Machine. You can only use one Configuration file at a time and changing it requires to restart the Designer / Runtime.

D:/kerberos/krb5.conf

Enable Kerberos Debug

Optional debug property that allows to print more information in the Designer and Runtime consoles when performing Kerberos connections.

This can help to debug connection issues, as Kerberos will return more details and logs about the connection operations.

As a reminder, to launch the Designer console, start the Designer through a command prompt with the -console option.

Java Security Debug Properties

Optional comma separated list of debug values that should be returned by Java.

This specifies the java.security.debug Java property, which defines the debug logs that should be returned.

When you are debugging Kerberos connection issues, we advise to set it to the example value to get precise log information.

gssloginconfig,configfile,configparser,logincontext

Principal Properties

Under Kerberos, an account in called a 'principal'.

In the Kerberos Metadata, you can add as many principals as required, representing your different services, organizations, …​

To add a new Principal:

  1. right click on the server node

  2. choose new > Kerberos Principal

Below, an example of a principal node:

getting started kerberos principal node overview

The following properties are available:

Property Description Example

Name

Logical label (alias) to identify the Principal.
This property is mandatory.

hbase

Kerberos Principal

Kerberos Principal name. The Kerberos Principal must meet the standard Kerberos Principal syntax, that is the following:

<primary>/<instance>@<REALM>

This property is mandatory.

hbase/quickstart.cloudera@CLOUDERA

Kerberos Local Keytab File Path

Local Path to the Keytab file associated to the Principal.

It must be reachable by the Designer / Runtime.

This property is mandatory.

D:/kerberos/hbase.keytab

Kerberos Remote Keytab File Path

Optional remote Path to the Keytab file associated to the Principal.

Templates and tools that are launching commands over SSH on servers secured with Kerberos requires to perform a Kerberos connection on the server, before operating.

This property specifies the path of the Keytab on the remote server.

/home/cloudera/xdi/kerberos/hbase.keytab