Configure via ADCM
ADCM actions for ADH with Active Directory
-
Select an installed and prepared ADH cluster.
-
Run Enable Kerberos action.
Enable Kerberos -
Turn on the Existing Active Directory option.
Existing Active Directory option -
Fill in the requisites of the Active Directory and proceed to setting up Kerberos in the cluster.
Active Directory fields
Verify Kerberos installation success using MIT Kerberos
After the cluster is kerberized, any action of any user must run after the successful authentication. You can find the examples of HDFS requests before and after the cluster is kerberized using MIT Kerberos.
Check HDFS before the cluster is kerberized
$ sudo -u hdfs hdfs dfs -touch /tmp/arenadata_test.txt
$ sudo -u hdfs hdfs dfs -ls /tmp
The output looks as follows:
Found 1 items -rw-r--r-- 3 hdfs hadoop 0 2022-02-05 11:17 /tmp/arenadata_test.txt
The curl request to create an entity:
$ curl -I -H "Content-Type:application/octet-stream" -X PUT 'http://httpfs_hostname:14000/webhdfs/v1/tmp/arenadata_httpfs_test.txt?op=CREATE&data=true&user.name=hdfs'
The response looks like the following:
HTTP/1.1 201 Created Date: Sat, 05 Feb 2022 11:23:31 GMT Cache-Control: no-cache Expires: Sat, 05 Feb 2022 11:23:31 GMT Date: Sat, 05 Feb 2022 11:23:31 GMT Pragma: no-cache Set-Cookie: hadoop.auth="u=hdfs&p=hdfs&t=simple-dt&e=1628198611064&s=gS6tylp5MZw+aiHs1EzuNfd1qqbJpFAGeGLxTtXxZfg="; Path=/; HttpOnly Content-Type: application/json;charset=utf-8 Content-Length: 0
The curl request to retrieve data about an HDFS file:
$ curl -H "Content-Type:application/json" -X GET 'http://httpfs_hostname:14000/webhdfs/v1/tmp?op=LISTSTATUS&user.name=hdfs'
The response JSON looks as follows:
{"FileStatuses":{"FileStatus":[{"pathSuffix":"arenadata_httpfs_test.txt","type":"FILE","length":0,"owner":"hdfs","group":"hadoop","permission":"755","accessTime":1628162611089,"modificationTime":1628162611113,"blockSize":134217728,"replication":3}]}}
Check HDFS after the cluster is kerberized
HDFS request:
$ sudo -u hdfs hdfs dfs -ls /tmp
Response (unsuccessful):
2022-02-05 11:34:14,753 WARN ipc.Client: Exception encountered while connecting to the server : org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS] 2022-02-05 11:34:14,765 WARN ipc.Client: Exception encountered while connecting to the server : org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS] 2022-02-05 11:34:14,767 INFO retry.RetryInvocationHandler: java.io.IOException: DestHost:destPort namenode_host:8020 , LocalHost:localPort namenode_host/namenode_ip:0. Failed on local exception: java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS], while invoking ClientNamenodeProtocolTranslatorPB.getFileInfo over namenode_host/namenode_ip:8020 after 1 failover attempts. Trying to failover after sleeping for 1087ms.
Creating a ticket:
$ sudo -u hdfs kinit -k -t /etc/security/keytabs/hdfs.service.keytab hdfs/node_hostname@REALM
Response (successful):
Found 1 items -rw-r--r-- 3 hdfs hadoop 0 2022-02-05 11:17 /tmp/arenadata_test.txt
HDFS request:
$ sudo -u hdfs curl -H "Content-Type:application/json" -X GET 'http://httpfs_hostname:14000/webhdfs/v1/tmp?op=LISTSTATUS&user.name=hdfs'
Response (unsuccessful):
<html> <head> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/> <title>Error 401 Authentication required</title> </head> <body><h2>HTTP ERROR 401</h2> <p>Problem accessing /webhdfs/v1/tmp. Reason: <pre> Authentication required</pre></p> </body> </html>
Creating a ticket:
$ sudo -u hdfs kinit -k -t /etc/security/keytabs/HTTP.service.keytab HTTP/node_hostname@REALM
HDFS request:
$ sudo -u hdfs curl -sfSIL -I -H "Content-Type:application/octet-stream" -X PUT --negotiate -u : 'http://httpfs_hostname:14000/webhdfs/v1/tmp/arenadata_httpfs_test.txt?op=CREATE&data=true&user.name=hdfs'
Response (successful):
HTTP/1.1 201 Created Date: Sat, 05 Feb 2022 11:23:31 GMT Cache-Control: no-cache Expires: Sat, 05 Feb 2022 11:23:31 GMT Date: Sat, 05 Feb 2022 11:23:31 GMT Pragma: no-cache Set-Cookie: hadoop.auth="u=hdfs&p=hdfs&t=simple-dt&e=1628198611064&s=gS6tylp5MZw+aiHs1EzuNfd1qqbJpFAGeGLxTtXxZfg="; Path=/; HttpOnly Content-Type: application/json;charset=utf-8 Content-Length: 0