Create a Kerberos Principal and a keytab File for HttpFS

Skip this task if you are not using HttpFS.

Each node running the httpFS service must have a keytab file (/opt/mapr/conf/mapr.keytab) and these two principals:

  • HTTP/<fully.qualified.domain.name>
  • mapr/<fully.qualified.domain.name>

For complete instructions on generating a Kerberos principal and keytab file, see Configuring Kerberos User Authentication.

To check whether the keytab already exists, and if it contains the two necessary principals, run the klist command with the -k (keytab keys), -e (encryption type) and -t (timestamp) options.
$ klist -ket /opt/mapr/conf/mapr.keytab

The output from this command displays the following information:

  • KVNO (key version number)
  • Timestamp (the time the key was generated)
  • Principal names
  • Encryption types

If the keytab file does not exist, or does not contain both principals, generate them by following these steps.

  1. Generate a Kerberos principal for the mapr user.
    The principal is of the form
    mapr/<fully.qualified.domain.name>@<your-realm>.com
    where <fully.qualified.domain.name> is unique for each httpFS node.
    In the following example, perfnode153.perf.lab@dev-maprtech.com is used for the <fully.qualified.domain.name>@<your-realm>.com.
    $ kadmin
    kadmin: addprinc -randkey mapr/perfnode153.perf.lab@dev-maprtech.com
  2. Generate a Kerberos principal for HTTP/<fully.qualified.domain.name>. This is required for Kerberos authentication of the httpFS server using HTTP SPNEGO.
    $ kadmin
    kadmin: addprinc -randkey HTTP/perfnode153.perf.lab@dev-maprtech.com
  3. If the current node does not already have a keytab file created for another service, create one and name it mapr.keytab.
    kadmin: ktadd -k /opt/mapr/conf/mapr.keytab mapr/perfnode153.perf.lab

    Note that each node references the same keytab file (usually located at /opt/mapr/conf/mapr.keytab), and each keytab file can have multiple principals.

  4. Change the owner of the keytab file from the root user (the default) to the mapr user.
    $ chown mapr:mapr /opt/mapr/conf/mapr.keytab
  5. Set read-only permissions on the mapr.keytab file.
    $ chmod 600 mapr:mapr /opt/mapr/conf/mapr.keytab
  6. Verify credentials in the keytab file:
    To test that the credentials in the mapr.keytab file work, run the klist command with the -k (keytab keys), -e (encryption type) and -t (timestamp) options.
    $ klist -ket /opt/mapr/conf/mapr.keytab

    Verify that the output lists only one key version number (KVNO) for each principal name. If you see the same principal listed more than once with a different key version number, this could indicate a problem. The latest version number is used, which means you might not be able to log into the node and authenticate with your user credentials.

    Sample output for a node that has the httpFS and CLDB services installed is shown below.
    Keytab name: FILE:/opt/mapr/conf/mapr.keytab
     KVNO Timestamp         Principal
     ---- ----------------- --------------------------------------------------------
       2 07/18/14 18:50:07 mapr/perfnode153.perf.lab@dev-maprtech (aes256-cts-hmac-sha1-96)
       2 07/18/14 18:50:07 mapr/perfnode153.perf.lab@dev-maprtech (arcfour-hmac)
       2 07/18/14 18:50:08 mapr/perfnode153.perf.lab@dev-maprtech (des3-cbc-sha1)
       2 07/18/14 18:50:08 mapr/perfnode153.perf.lab@dev-maprtech (des-cbc-crc) 
     
       2 07/18/14 18:50:26 HTTP/perfnode153.perf.lab@dev-maprtech (aes256-cts-hmac-sha1-96)
       2 07/18/14 18:50:26 HTTP/perfnode153.perf.lab@dev-maprtech (arcfour-hmac)
       2 07/18/14 18:50:26 HTTP/perfnode153.perf.lab@dev-maprtech (des3-cbc-sha1)
       2 07/18/14 18:50:26 HTTP/perfnode153.perf.lab@dev-maprtech (des-cbc-crc) 
     
       6 07/18/14 18:50:56 mapr/my.cluster.com@dev-maprtech (aes256-cts-hmac-sha1-96)
       6 07/18/14 18:50:56 mapr/my.cluster.com@dev-maprtech (arcfour-hmac)
       6 07/18/14 18:50:56 mapr/my.cluster.com@dev-maprtech (des3-cbc-sha1)
       6 07/18/14 18:50:57 mapr/my.cluster.com@dev-maprtech (des-cbc-crc)

    In the example, the following principals are listed for the node perfnode153.perf.lab:

      • mapr/perfnode153.perf.lab@dev-maprtech
        (for authenticating to the httpFS service)
      • HTTP/perfnode153.perf.lab@dev-maprtech
        (for communicating securely over HTTP)
      • mapr/my.cluster.com
        (for authenticating to the CLDB service)
  7. Verify that context.xml.jpamLogin exists in this location:
    /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/META-INF/context.xml.jpamLogin.
    This file may have been renamed to context.xml to configure PAM authentication for HttpFS. However, to configure Kerberos for HttpFS, rename the file back to context.xml.jpamLogin.
    mv /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/META-INF/context.xml /opt/mapr/httpfs/httpfs-1.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/META-INF/context.xml.jpamLogin