Step-by-step guide
To set up Kerberos on Groundplex nodes:
- Before doing the following setups, make sure the Groundplex is working fine.
Install Kerberos packages on Groundplex nodes.
$ sudo yum install krb5-workstation krb5-libs krb5-auth-dialog
Copy the file /etc/krb5.conf from one of the target cluster nodes to /etc/krb5.conf on each Groundplex node.
- Install the JCE extension on each Groundplex node.
- Download the JCE extension zip file: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
Copy the JCE extension zip file onto each Groundplex node and install the JCE extension with the following command. Restart the node after the installation.
$ unzip -o -j -q jce_policy-8.zip -d /opt/snaplogic/pkgs/jre1.8.0_45/lib/security/
To check if the JCE extension was correctly installed, run the command below and you should see the same output shown as below:
$ zipgrep CryptoAllPermission /opt/snaplogic/pkgs/jre1.8.0_45/lib/security/local_policy.jar default_local.policy: permission javax.crypto.CryptoAllPermission;
Generate the keytab file for the Kerberos user, put it on each Groundplex node, and give snapuser access to the keytab file.
$ sudo cp /path/to/keytab/file /home/snapuser/<keytab_file_name> $ sudo chown snapuser:snapuser /home/snapuser/<keytab_file_name> $ sudo chmod 400 /home/snapuser/<keytab_file_name>
How to Test Kerberos Configurations on Groundplex Nodes
The following commands can be used to test Kerberos configurations on the Groundplex nodes:
$ kinit -k -t /path/to/keytab/file <principal_name> $ klist
For example, with a keytab file of principal snaplogic/node1.snaplogic.dev.com@SNAPLOGIC.DEV.COM
, you should be able to initialize the ticket cache and see outputs like this:
$ kinit -k -t /home/snapuser/snaplogic.keytab snaplogic/node1.snaplogic.dev.com@SNAPLOGIC.DEV.COM $ klist Ticket cache: FILE:/tmp/krb5cc_5112 Default principal: snaplogic/node1.snaplogic.dev.com@SNAPLOGIC.DEV.COM Valid starting Expires Service principal 03/27/2017 18:39:59 03/28/2017 18:39:59 krbtgt/node1.snaplogic.dev.com@SNAPLOGIC.DEV.COM renew until 04/03/2017 18:39:59
Common Issues
How to Create a New User for Hive with Kerberos
Create a linux user on each CDH cluster node.
Create home directory on CDH cluster's HDFS for the new user.
Create a Kerberos principal for the new user.
Snap fails with error: [Cloudera][HiveJDBCDriver](500051) ERROR processing query/statement. Error Code: ERROR_STATE, SQL state: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.mr.MapRedTask, Query: ......
In the Snap's account setting:
If the authentication type is Kerberos, make sure the all the steps in question 1 have been done correctly.
- If the authentication type is User ID or User ID and Password, make sure step a and b in question 1 have been done correctly.
If the Authentication type is None, a home directory for anonymous user should be created on HDFS:
Snap failed with error: Unable to authenticate the client to the KDC using the provided credentials.
This error indicates that the Kerberos is not configured properly on the Groundplex nodes. See section Configure Kerberos on groundplex nodes.
Snap failed with error: Keytab file does not exist or is not readable.
As the error message says, the keytab file is either missing or snapuser doesn't have the access to the keytab file. See step 5 in Step-by-step Guide.