我的书签
添加书签
移除书签
Kinit Auxiliary Service
In order to work with a kerberos-enabled cluster, Kyuubi provides this kinit auxiliary service. It will periodically re-kinit with to keep the Ticket Cache fresh.
Installing and Configuring the Kerberos Clients
Usually, Kerberos client is installed as default. You can validate it using klist tool.
$ klist -VKerberos 5 version 1.15.1
If the client is not installed, you should install it ahead based on the OS platform that you prepare to run Kyuubi.
krb5.conf is a configuration file for tuning up the creation of Kerberos ticket cache.
The default location is /etc on Linux,
and we can use KRB5_CONFIG environmental variable to overwrite the location of the configuration file.
Replace or configure krb5.conf to point to the KDC.
Kerberos Ticket
Kerberos client is aimed to generate a Ticket Cache file. Then, Kyuubi can use this Ticket Cache to authenticate with those kerberized services, e.g. HDFS, YARN, and Hive Metastore server, etc.
A Kerberos ticket cache contains a service and a client principal names, lifetime indicators, flags, and the credential itself, e.g.
$ klistTicket cache: FILE:/tmp/krb5cc_5441Default principal: spark/kyuubi.host.name@KYUUBI.APACHE.ORGValid starting Expires Service principal2020-11-25T13:17:18 2020-11-26T13:17:18 krbtgt/KYUUBI.APACHE.ORG@KYUUBI.APACHE.ORGrenew until 2020-12-02T13:17:18
Kerberos credentials can be stored in Kerberos ticket cache.
For example, /tmp/krb5cc_5441 in the above case.
They are valid for relatively short period. So, we always need to refresh it for long-running services like Kyuubi.
Configurations
| Key | Default | Meaning | Since |
|---|---|---|---|
| kyuubi.kinit .principal |
<undefined> |
Name of the Kerberos principal. |
1.0.0 |
| kyuubi.kinit.keytab | <undefined> |
Location of Kyuubi server’s keytab. |
1.0.0 |
| kyuubi.kinit.interval | PT1H |
How often will Kyuubi server run kinit -kt [keytab] [principal] to renew the local Kerberos credentials cache |
1.0.0 |
| kyuubi.kinit.max .attempts |
10 |
How many times will kinit process retry |
1.0.0 |
When hadoop.security.authentication is set to KERBEROS, in $HADOOP_CONF_DIR/core-site or $KYUUBI_HOME/conf/kyuubi-defaults.conf,
it indicates that we are targeting a secured cluster, then we need to specify kyuubi.kinit.principal and kyuubi.kinit.keytab for authentication.
Kyuubi will use this principal to impersonate client users,
so the cluster should enable it to do impersonation for some particular user from some particular hosts.
For example,
hadoop.proxyuser.<user name in principal>.groups *hadoop.proxyuser.<user name in principal>.hosts *
