Home
Arenadata Streaming
Tutorials
Access management
Authentication
Kerberos
MIT Kerberos

MIT Kerberos

Olga Semme

Contents

Configure Key Distribution Center
Set up configuration files
Configure a custom jaas.conf
Start MIT Kerberos KDC on ADS cluster in ADCM interface

Kerberos — network authentication protocol that provides a mechanism for mutual authentication of a client and server before establishing a connection between them.

SASL — authentication and data security framework used in Internet protocols.

Basic concepts used in Kerberos:

Principal — unique name for a client that is allowed to authenticate with Kerberos.
Ticket — temporary data issued to the client for authentication on the server where the required service is located.
Realm — network used by Kerberos, consisting of KDC servers and multiple clients.
Key Distribution Center (KDC) — service that issues Kerberos tickets.

Configure Key Distribution Center

NOTE

Key Distribution Center can be installed on any host that has access to a host with ADCM installed (FQDN connectivity).
Key Distribution Center can also be installed on the same host as ADCM.

To install the Key Distribution Center, run the following command on the selected host:

$ sudo yum install -y krb5-server

The result is a message:

Complete!

Set up configuration files

NOTE

Examples of commands for working with configuration files are given using the vim text editor, which must be preinstalled on this host.
It is possible to use other text editors.

The configuration file kdc.conf needs to be configured. It displays the name of the realm in which authentication is performed and the path to the configuration files.

Enter the command to open the file:

$ sudo vim /var/kerberos/krb5kdc/kdc.conf

Edit the opened file as follows:

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88
 default_realm = ADS-KAFKA.LOCAL

[realms]
 ADS-KAFKA.LOCAL = {
 acl_file = /var/kerberos/krb5kdc/kadm5.acl
 dict_file = /usr/share/dict/words
 admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
 supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

This file contains the sections described below:

[kdcdefaults]

The section specifies the default values for the tags to be used if the [realms] section does not contain a value for that tag.

Tag

Tag description

kdc_ports

UDP port for connecting to KDC

kdc_tcp_ports

TCP port for connecting to KDC

default_realm

Area designated by the user for authentication

[realms]

Every subsection in the section is the name of a Kerberos realm. The meaning of the subsection tags determines the KDC settings for that particular realm.

Tag

Tag description

acl_file

The location of the ACL file that kadmind uses to determine which principals are granted which permissions in the Kerberos database

admin_keytab

Location of the keytab file that the kadmind4 and v5passwdd administrative services use to authenticate against the database

dict_file

The location of a dictionary file containing strings that cannot be used as passwords. The file must contain one line per line without any extra spaces. If nothing is specified, or if no policy is assigned to the principal, no dictionary password checks will be performed

supported_enctypes

Specifies the default key/salt encryption type combinations for principals for this realm. All members created with kadmin will have keys of these types

NOTE

A complete description of the tag values for this file can be found at kdc.conf.

Next, you need to edit the kadm5.acl file to provide administrative access to the Kerberos domain.

Enter the command to open the file:
```
$ sudo vim /var/kerberos/krb5kdc/kadm5.acl
```
Edit the opened file as follows:
```
*/admin@ADS-KAFKA.LOCAL *
```
The example above is configured so that any /admin principal in the ADS-KAFKA.LOCAL realm has all administrative privileges except key extraction.

NOTE
For a complete description of the tag values for sections of this file, see kadm5_acl.

Next, you need to edit the Kerberos domain configuration file krb5.conf.

Enter the command to open the file:

$ sudo vim /etc/krb5.conf

Edit the opened file as follows:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = ADS-KAFKA.LOCAL
 kdc_timesync = 1
 ticket_lifetime = 24h

[realms]
 ADS-KAFKA.LOCAL = {
 admin_server = sov-ads-test-0.ru-central1.internal
 kdc = sov-ads-test-0.ru-central1.internal
 }

This file contains the sections described below:

[logging]

The section specifies how the logs are kept.

Tag

Tag description

default

Path to the file where the log is located, unless otherwise specified

kdc

Path to the file where the KDC log is located

admin_server

Path to the file where the log for the administrative server is located

[libdefaults]

This section describes the parameters used by the Kerberos V5 library.

Tag Tag description

default_realm

Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this value is not set, then when calling programs such as kinit, you must specify a realm for each Kerberos principal

kdc_timesync

Valid values for this ratio are 1 or 0. If it is non-zero, client machines will calculate the difference between their own time and the time returned by the KDC in ticket timestamps, and use this value to correct inaccurate system clocks when requested

ticket_lifetime

Sets the default time to live for initial ticket requests

[realms]

Every subsection in the section is the name of a Kerberos realm. The meaning of subsection tags determines the settings for that particular area.

Tag

Tag description

ADS-KAFKA.LOCAL

Area designated by the user for authentication

admin_server

Identifies the host on which the administration server is running. Typically, this is the main Kerberos server. This tag must be set to a value to communicate with the kadmind server for this realm

kdc

The name or address of the host running the KDC for this realm. An optional port number can be included, separated from the hostname by a colon

NOTE

For a complete description of the tag values for the areas of this file, see krb5_conf.

Create a database of Kerberos principals for realm domain ADS-KAFKA.LOCAL using the kdb5_util utility.

Enter command:
```
$ sudo /usr/sbin/kdb5_util create -s -r ADS-KAFKA.LOCAL -P P@ssw0rd
```
As a result, a message is displayed about the created database for the ADS-KAFKA.LOCAL area:
```
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'ADS-KAFKA.LOCAL',
master key name 'K/M@ADS-KAFKA.LOCAL'
```
NOTE
A complete description of the functions of the kdb5_util utility and applicable options is available at kdb5_util.
Create user admin using command line interface kadmin.local.

Enter command:
```
$ sudo kadmin.local -q "add_principal -pw P@ssw0rd admin/admin"
```
As a result, a message is displayed:
```
Principal "admin/admin@ADS-KAFKA.LOCAL" created.
```
NOTE
For a complete description of the kadmin_local command line interface functions and applicable options, see kadmin_local.

Restart Kerberos and KDC services.

Enter the commands one by one:

$ sudo systemctl restart krb5kdc
$ sudo systemctl restart kadmin

Check the status of running services by running the commands:

$ sudo systemctl status krb5kdc
$ sudo systemctl status kadmin

Configure a custom jaas.conf

Before starting Manage Kerberos, the user file jaas.conf can be configured to specify user data for connecting other service clients to the current service (paths to keytab files, the useTicketCache parameter, and others).

The table below shows a list of services for which a custom jaas.conf file can be configured and the file storage paths for each service.

Path to the jaas.conf file for services
Service	Path to jaas.conf
Kafka	/etc/kafka/conf/kafka-jaas.conf
Kafka Connect	/etc/kafka-connect/jaas_config.conf
Kafka REST Proxy	/etc/kafka-rest/jaas_config.conf
Kafka-Manager	/etc/kafka-manager/conf/jaas.conf
Schema-Registry	/etc/schema-registry/jaas_config.conf
ksqlDB	/etc/ksqldb/jaas_config.conf
Kafka REST Proxy	/etc/kafka-rest/jaas_config.conf
NiFi	/etc/nifi/conf/nifi-jaas.conf

The custom jaas.conf file is configured using a special JAAS template on the configuration page of the service. The configuration can be performed both for an individual service and for host groups on which the service is installed.

To configure jaas.conf:

Turn on the Show advanced switch.

Open the template, make changes and save by clicking Apply.

To configure user data when enabling authentication via the Kerberos protocol, only those JAAS template template blocks that describe the configuration for the Krb5LoginModule module are filled.

Below is an example of a JAAS file template for the Kafka service and a brief description of the blocks to be filled.

JAAS file for Kafka

{% if cluster.config.kerberos_client and cluster.config.kerberos_client.enable_kerberos %}
Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    useTicketCache=false
    keyTab="{{ cluster.config.kerberos_client.keytab_dir }}/kafka.service.keytab"
    principal="kafka/{{ ansible_fqdn }}@{{ cluster.config.kerberos_client.realm }}";
};
KafkaClient {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    useTicketCache=false
    keyTab="{{ cluster.config.kerberos_client.keytab_dir }}/kafka.service.keytab"
    principal="kafka/{{ ansible_fqdn }}@{{ cluster.config.kerberos_client.realm }}";
};
KafkaServer {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    useTicketCache=false
    serviceName="kafka"
    keyTab="{{ cluster.config.kerberos_client.keytab_dir }}/kafka.service.keytab"
    principal="kafka/{{ ansible_fqdn }}@{{ cluster.config.kerberos_client.realm }}";
};
{%- elif cluster.config.sasl_plain_auth_default_config is not none %}
    {%- set credential = cluster.config.sasl_plain_auth_default_config.sasl_plain_users_data %}
KafkaServer {
  org.apache.kafka.common.security.plain.PlainLoginModule required
  username="kafka"
  password="{{ credential['kafka'] }}"
{% for user, password in credential.items() %}
  user_{{ user }}="{{ password }}"{% if loop.index != loop | length %}
{% endif %}
{% endfor %};
};
{% endif %}

Client — describes configuration parameters for connecting other services (for example, Zookeeper) to Kafka brokers.
KafkaClient — describes configuration parameters for connecting external applications (producers and consumers) to Kafka brokers
KafkaServer — describes the configuration parameters for communication between Kafka brokers.

Save the configuration by clicking Save.

Setting up JAAS template
Reload the services for which jaas.conf was configured. To do this, apply the Restart action by clicking in the Actions column.

NOTE

In the case when the JAAS template is not changed before enabling Manage Kerberos, after enabling kerberization on hosts, jaas.conf files are created by default for each service with the data given in the template.

Start MIT Kerberos KDC on ADS cluster in ADCM interface

Initiate Kerberos enablement for the selected cluster. To do this, apply the Manage Kerberos action by clicking in the Actions column.

Enabling Kerberos on the ADS cluster
Enable Existing MIT KDC. To do this, you need to enable the eponymous switch in the window that opens.

Enabling Existing MIT KDC

NOTE
Enabling Existing MIT KDC can be combined with the Custom kerberization settings option.
Set the Show advanced switch to active.
Set the configuration parameters of the ADS cluster for MIT Kerberos KDC in accordance with the previously entered values and click Run.

Configuring ADS cluster for MIT Kerberos KDC
Wait for the Kerberos setup to complete. Analyze and correct errors if they occur.

Kerberos installation process

NOTE

Kerberos authentication after running Manage Kerberos in Kafka service is done according to Use MIT Kerberos in Kafka.

Found a mistake? Seleсt text and press Ctrl+Enter to report it