Kinit auxiliary service is a critical service both for authentication between Kyuubi client/server and for authentication between Kyuubi server/Hadoop cluster in a Kerberos environment. It will get a Kerberos Ticket Cache from KDC and periodically re-kinit to keep the Ticket Cache fresh.
Note:
- Kinit auxiliary service is critical to Kyuubi Kerberos authentication, but not vice versa.
- Kinit auxiliary service can also work with other authentication mode.
Installing and Configuring the Kerberos Clients
Usually, Kerberos client is installed as default. You can validate it using klist
tool.
$ klist -V
Kerberos 5 version 1.15.1
If the client is not installed, you should install it ahead based on the OS platform that you prepare to run Kyuubi.
krb5.conf
is a configuration file for tuning up the creation of Kerberos ticket cache.
The default location is /etc
on Linux,
and we can use KRB5_CONFIG
environmental variable to overwrite the location of the configuration file.
Replace or configure krb5.conf
to point to the KDC.
Kerberos Ticket
Kerberos client is aimed to generate a Ticket Cache file. Then, Kyuubi can use this Ticket Cache to authenticate with those kerberized services, e.g. HDFS, YARN, and Hive Metastore server, etc.
A Kerberos ticket cache contains a service and a client principal names, lifetime indicators, flags, and the credential itself, e.g.
$ klist
Ticket cache: FILE:/tmp/krb5cc_5441
Default principal: spark/kyuubi.host.name@KYUUBI.APACHE.ORG
Valid starting Expires Service principal
2020-11-25T13:17:18 2020-11-26T13:17:18 krbtgt/KYUUBI.APACHE.ORG@KYUUBI.APACHE.ORG
renew until 2020-12-02T13:17:18
Kerberos credentials can be stored in Kerberos ticket cache.
For example, /tmp/krb5cc_5441
in the above case.
They are valid for relatively short period. So, we always need to refresh it for long-running services like Kyuubi.
Configurations
Key | Default | Meaning | Since |
---|---|---|---|
kyuubi.kinit.principal |
<undefined> |
Name of the Kerberos principal. |
1.0.0 |
kyuubi.kinit.keytab |
<undefined> |
Location of Kyuubi server’s keytab. |
1.0.0 |
kyuubi.kinit.interval |
PT1H |
How often will Kyuubi server run kinit -kt [keytab] [principal] to renew the local Kerberos credentials cache |
1.0.0 |
kyuubi.kinit.max.attempts |
10 |
How many times will kinit process retry |
1.0.0 |
When working with a Kerberos-enabled Hadoop cluster, we should ensure that hadoop.security.authentication
is set to KERBEROS
in $HADOOP_CONF_DIR/core-site.xml
or $KYUUBI_HOME/conf/kyuubi-defaults.conf
.
Then we need to specify kyuubi.kinit.principal
and kyuubi.kinit.keytab
for authentication.
For example,
kyuubi.kinit.principal=spark/kyuubi.apache.org@KYUUBI.APACHE.ORG
kyuubi.kinit.keytab=/path/to/kyuuib.keytab
Note:kyuubi.kinit.principal
must be in the format: <user>/<host>@<realm>
, and <host>
must
be a FQDN of the host Kyuubi is running.
Kyuubi will use this principal
to impersonate client users,
so the cluster should enable it to do impersonation for some particular user from some particular hosts.
For example,
hadoop.proxyuser.<user name in principal>.groups *
hadoop.proxyuser.<user name in principal>.hosts *