Kerberos Ticket Autorenewal

Posted on  by 



Is there any roadmap developement planned in Mavericks or in Yosemite to make it possible, that Kerberos tickets do renew automatically? This is such a nightmare to each time open the Ticker Viewer and push this small renew button like 10 times per day. MIT Kerberos.chm. Click the Get Ticket button and enter your principal (your Kerberos identity) and password to obtain a ticket. The ticket allows you to securely access all of the computers and services set up to authenticate you through Kerberos, until the ticket expires, without requiring you. Kerberos tickets have a maximum renewable lifetime which is a KDC server setting, and nothing will let you renew one ticket past this time. The only thing you could do is store the users credentials and request a fresh new ticket on their behalf. That being said, you shouldn't have to.

Use the scripts and screenshots below to configure a Kerberized cluster in minutes.

Kerberos is the foundation of securing your Apache Hadoop cluster. With Kerberos enabled, user authentication is required. Once users are authenticated, you can use projects like Apache Sentry (incubating) for role-based access control via GRANT/REVOKE statements.

Taming the three-headed dog that guards the gates of Hades is challenging, so Cloudera has put significant effort into making this process easier in Hadoop-based enterprise data hubs. In this post, you’ll learn how to stand-up a one-node cluster with Kerberos enforcing user authentication, using the Cloudera QuickStart VM as a demo environment.

If you want to read the product documentation, it’s available here. You should consider this reference material; I’d suggest reading it later to understand more details about what the scripts do.

Requirements

You need the following downloads to follow along.

  • The QuickStart VM, along with a corresponding VM runtime environment
  • The Java Cryptography Extension (JCE) file from Oracle

Initial Configuration

Before you start the QuickStart VM, increase the memory allocation to 8GB RAM and increase the number of CPUs to two. You can get by with a little less RAM, but we will have everything including the Kerberos server running on one node.

Start up the VM and activate Cloudera Manager as shown here:

Give this script some time to run, it has to restart the cluster.

KDC Install and Setup Script

The script goKerberos_beforeCM.sh does all the setup work for the Kerberos server and the appropriate configuration parameters. The comments are designed to explain what is going on inline. (Do not copy and paste this script! It contains unprintable characters that are pretending to be spaces. Rather, download it.)

Cloudera Manager Kerberos Wizard

After running the script, you now have a working Kerberos server and can secure the Hadoop cluster. The wizard will do most of the heavy lifting; you just have to fill in a few values.

To start, log into Cloudera Manager by going to http://quickstart.cloudera:7180 in your browser. The userid is cloudera and the password is cloudera. (Almost needless to say but never use “cloudera” as a password in a real-world setting.)

There are lots of productivity tools here for managing the cluster but ignore them for now and head straight for the Administration > Kerberos wizard as shown in the next screenshot.

Click on the “Enable Kerberos” button.

The four checklist items were all completed by the script you’ve already run. Check off each item and select “Continue.”

The Kerberos Wizard needs to know the details of what the script configured. Fill in the entries as follows:

  • KDC Server Host: quickstart.cloudera
  • Kerberos Security Realm: CLOUDERA
  • Kerberos Encryption Types: aes256-cts-hmac-sha1-96

Click “Continue.”

Do you want Cloudera Manager to manage the krb5.conf files in your cluster? Remember, the whole point of this blog post is to make Kerberos easier. So, please check “Yes” and then select “Continue.”

The Kerberos Wizard is going to create Kerberos principals for the different services in the cluster. To do that it needs a Kerberos Administrator ID. The ID created is: cloudera-scm/admin@CLOUDERA.

The screen shot shows how to enter this information. Recall the password is: cloudera.

The next screen provides good news. It lets you know that the wizard was able to successfully authenticate.

OK, you’re ready to let the Kerberos Wizard do its work. Since this is a VM, you can safely select “I’m ready to restart the cluster now” and then click “Continue.” You now have time to go get a coffee or other beverage of your choice.

How long does that take? Just let it work.

Congrats, you are now running a Hadoop cluster secured with Kerberos.

Kerberos Ticket Autorenewal

Kerberos is Enabled. Now What?

The old method of su - hdfs will no longer provide administrator access to the HDFS filesystem. Here is how you become the hdfs user with Kerberos:

Now validate you can do hdfs user things:

Next, invalidate the Kerberos token so as not to break anything:

Download software mac os. The min.user parameter needs to be fixed per the message below:

This is the error message you get without fixing min.user.id:

Save the changes shown above and restart the YARN service. Now validate that the cloudera user can use the cluster:

If you forget to kinit before trying to use the cluster you’ll get the errors below. The simple fix is to use kinit with the principal you wish to use.

Congratulations, you have a running Kerberos cluster!

Kerberos Ticket Renewal

Marty Lurie is a Systems Engineer at Cloudera.

Editor's Choice

I do not know a lot about kerberos. I do have to get a kerberos ticket from time to time at work, but that is mostly just issue the kinit command they tell me to issue.


Anyway, looking at 'man kinit' there is a --lifetime=value option and I'm wondering if you can use an Terminal session to create your kerberos ticket with a longer lifetime.

Applications -> Utilities -> Terminal

man kinit


Oh yea, I should also say, you are not talking to Apple in these forums. Just fellow Mac users. And Apple does not tell us anything until they do, and then they only tend to tell us about flashy GUI type stuff, no plumbing such as kerberos.


Renewal

You can use the bugs or feedback channels to communicate with Apple

BugReporter

<http://bugreporter.apple.com> View kerberos tickets


Free ADC (Apple Developer Connection) account needed for BugReporter.

Kerberos Command Line

Anyone can get a free account at:


And/Or


Renewal

Kerberos Ticket Renewal Time

Kerberos Ticket AutorenewalMac OS X Feedback


<http://www.apple.com/feedback/macosx.html>

Refresh Kerberos Ticket Windows

Sep 7, 2015 7:33 AM





Coments are closed