Configure via ADCM

ADCM actions for ADH with Active Directory

  1. Select an installed and prepared ADH cluster.

  2. Run Enable Kerberos action.

    kerberize start
    Enable Kerberos
  3. Turn on the Existing Active Directory option.

    kerberize ad 1
    Existing Active Directory option
  4. Fill in the requisites of the Active Directory and proceed to setting up Kerberos in the cluster.

    kerberize ad 2
    Active Directory fields

Verify Kerberos installation success using MIT Kerberos

After the cluster is kerberized, any action of any user must run after the successful authentication. You can find the examples of HDFS requests before and after the cluster is kerberized using MIT Kerberos.

Check HDFS before the cluster is kerberized

HDFS CLI

 

$ sudo -u hdfs hdfs dfs -touch /tmp/arenadata_test.txt
$ sudo -u hdfs hdfs dfs -ls /tmp

The output looks as follows:

Found 1 items
-rw-r--r--   3 hdfs hadoop          0 2022-02-05 11:17 /tmp/arenadata_test.txt
HDFS HttpFS

 
The curl request to create an entity:

$ curl -I -H "Content-Type:application/octet-stream" -X PUT 'http://httpfs_hostname:14000/webhdfs/v1/tmp/arenadata_httpfs_test.txt?op=CREATE&data=true&user.name=hdfs'

The response looks like the following:

HTTP/1.1 201 Created
Date: Sat, 05 Feb 2022 11:23:31 GMT
Cache-Control: no-cache
Expires: Sat, 05 Feb 2022 11:23:31 GMT
Date: Sat, 05 Feb 2022 11:23:31 GMT
Pragma: no-cache
Set-Cookie: hadoop.auth="u=hdfs&p=hdfs&t=simple-dt&e=1628198611064&s=gS6tylp5MZw+aiHs1EzuNfd1qqbJpFAGeGLxTtXxZfg="; Path=/; HttpOnly
Content-Type: application/json;charset=utf-8
Content-Length: 0

The curl request to retrieve data about an HDFS file:

$ curl -H "Content-Type:application/json" -X GET 'http://httpfs_hostname:14000/webhdfs/v1/tmp?op=LISTSTATUS&user.name=hdfs'

The response JSON looks as follows:

{"FileStatuses":{"FileStatus":[{"pathSuffix":"arenadata_httpfs_test.txt","type":"FILE","length":0,"owner":"hdfs","group":"hadoop","permission":"755","accessTime":1628162611089,"modificationTime":1628162611113,"blockSize":134217728,"replication":3}]}}

Check HDFS after the cluster is kerberized

HDFS CLI

 
HDFS request:

$ sudo -u hdfs hdfs dfs -ls /tmp

Response (unsuccessful):

2022-02-05 11:34:14,753 WARN ipc.Client: Exception encountered while connecting to the server : org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]
2022-02-05 11:34:14,765 WARN ipc.Client: Exception encountered while connecting to the server : org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]
2022-02-05 11:34:14,767 INFO retry.RetryInvocationHandler: java.io.IOException: DestHost:destPort namenode_host:8020 , LocalHost:localPort namenode_host/namenode_ip:0. Failed on local exception: java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS], while invoking ClientNamenodeProtocolTranslatorPB.getFileInfo over namenode_host/namenode_ip:8020 after 1 failover attempts. Trying to failover after sleeping for 1087ms.

Creating a ticket:

$ sudo -u hdfs kinit -k -t /etc/security/keytabs/hdfs.service.keytab hdfs/node_hostname@REALM

Response (successful):

Found 1 items
-rw-r--r--   3 hdfs hadoop          0 2022-02-05 11:17 /tmp/arenadata_test.txt
HDFS HttpFS

 
HDFS request:

$ sudo -u hdfs curl -H "Content-Type:application/json" -X GET 'http://httpfs_hostname:14000/webhdfs/v1/tmp?op=LISTSTATUS&user.name=hdfs'

Response (unsuccessful):

<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 401 Authentication required</title>
</head>
<body><h2>HTTP ERROR 401</h2>
<p>Problem accessing /webhdfs/v1/tmp. Reason:
<pre>    Authentication required</pre></p>
</body>
</html>

Creating a ticket:

$ sudo -u hdfs kinit -k -t /etc/security/keytabs/HTTP.service.keytab HTTP/node_hostname@REALM

HDFS request:

$ sudo -u hdfs curl -sfSIL -I -H "Content-Type:application/octet-stream" -X PUT --negotiate -u : 'http://httpfs_hostname:14000/webhdfs/v1/tmp/arenadata_httpfs_test.txt?op=CREATE&data=true&user.name=hdfs'

Response (successful):

HTTP/1.1 201 Created
Date: Sat, 05 Feb 2022 11:23:31 GMT
Cache-Control: no-cache
Expires: Sat, 05 Feb 2022 11:23:31 GMT
Date: Sat, 05 Feb 2022 11:23:31 GMT
Pragma: no-cache
Set-Cookie: hadoop.auth="u=hdfs&p=hdfs&t=simple-dt&e=1628198611064&s=gS6tylp5MZw+aiHs1EzuNfd1qqbJpFAGeGLxTtXxZfg="; Path=/; HttpOnly
Content-Type: application/json;charset=utf-8
Content-Length: 0
Found a mistake? Seleсt text and press Ctrl+Enter to report it