Kinit auxiliary service is a critical service both for authentication between Kyuubi client/server and for authentication between Kyuubi server/Hadoop cluster in a Kerberos environment. It will get a Kerberos Ticket Cache from KDC and periodically re-kinit to keep the Ticket Cache fresh.

Note:

  • Kinit auxiliary service is critical to Kyuubi Kerberos authentication, but not vice versa.
  • Kinit auxiliary service can also work with other authentication mode.

Installing and Configuring the Kerberos Clients

Usually, Kerberos client is installed as default. You can validate it using klist tool.

  1. $ klist -V
  2. Kerberos 5 version 1.15.1

If the client is not installed, you should install it ahead based on the OS platform that you prepare to run Kyuubi.

krb5.conf is a configuration file for tuning up the creation of Kerberos ticket cache. The default location is /etc on Linux, and we can use KRB5_CONFIG environmental variable to overwrite the location of the configuration file.

Replace or configure krb5.conf to point to the KDC.

Kerberos Ticket

Kerberos client is aimed to generate a Ticket Cache file. Then, Kyuubi can use this Ticket Cache to authenticate with those kerberized services, e.g. HDFS, YARN, and Hive Metastore server, etc.

A Kerberos ticket cache contains a service and a client principal names, lifetime indicators, flags, and the credential itself, e.g.

  1. $ klist
  3. Ticket cache: FILE:/tmp/krb5cc_5441
  4. Default principal: spark/kyuubi.host.name@KYUUBI.APACHE.ORG
  6. Valid starting       Expires              Service principal
  7. 2020-11-25T13:17:18  2020-11-26T13:17:18  krbtgt/KYUUBI.APACHE.ORG@KYUUBI.APACHE.ORG
  8.     renew until 2020-12-02T13:17:18

Kerberos credentials can be stored in Kerberos ticket cache. For example, /tmp/krb5cc_5441 in the above case.

They are valid for relatively short period. So, we always need to refresh it for long-running services like Kyuubi.

Configurations

Key Default Meaning Since
kyuubi.kinit.principal
<undefined>
Name of the Kerberos principal.
1.0.0
kyuubi.kinit.keytab
<undefined>
Location of Kyuubi server’s keytab.
1.0.0
kyuubi.kinit.interval
PT1H
How often will Kyuubi server run kinit -kt [keytab] [principal] to renew the local Kerberos credentials cache
1.0.0
kyuubi.kinit.max.attempts
10
How many times will kinit process retry
1.0.0

When working with a Kerberos-enabled Hadoop cluster, we should ensure that hadoop.security.authentication is set to KERBEROS in $HADOOP_CONF_DIR/core-site.xml or $KYUUBI_HOME/conf/kyuubi-defaults.conf. Then we need to specify kyuubi.kinit.principal and kyuubi.kinit.keytab for authentication.

For example,

  1. kyuubi.kinit.principal=spark/kyuubi.apache.org@KYUUBI.APACHE.ORG
  2. kyuubi.kinit.keytab=/path/to/kyuuib.keytab

Note:
kyuubi.kinit.principal must be in the format: <user>/<host>@<realm>, and <host> must be a FQDN of the host Kyuubi is running.

Kyuubi will use this principal to impersonate client users, so the cluster should enable it to do impersonation for some particular user from some particular hosts.

For example,

  1. hadoop.proxyuser.<user name in principal>.groups *
  2. hadoop.proxyuser.<user name in principal>.hosts *

Further Readings