Keytabs

Keytabs are critical for secure Hadoop clusters, as they allow the services to be launched without prompts for passwords

Creating a Keytab

If your management tools sets up keytabs for you: use it.


kadmin.local

ktadd -k zk.service.keytab -norandkey zookeeper/[email protected] 
ktadd -k zk.service.keytab -norandkey zookeeper/[email protected]
exit

and of course, make it accessible

chgrp hadoop zk.service.keytab
chown zookeeper zk.service.keytab

check that the user can login

# sudo -u zookeeper klist -e -kt zk.service.keytab
# sudo -u zookeeper kinit -kt zk.service.keytab zookeeper/devix.cotham.uk
# sudo -u zookeeper klist

Keytab Expiry

Keytabs expire

That is: entries in them have a limited lifespan (default: 1 year)

This is actually a feature —it limits how long a lost/stolen keytab can have access to the system.

At the same time, it's a major inconvenience as (a) the keytabs expire and (b) it's never immediately obvious why your cluster has stopped working.

Keytab security

Keytabs are sensitive items. They need to be treated as having all the access to the data of that principal

Keytabs and YARN applications

results matching ""

    No results matching ""