To connect to a Kerberos cluster, you need to use the keytab file (pairs of principals and encrypted keys—derived from passwords).
To create a keytab file using MIT Kerberos, we will use ktutil here. Remember that encryption types (case-sensitive) should be supported and they should be in krb5.conf. This is based on the assumption that [email protected] is there on the Kerberos/respective database. See the following steps to create the keytab file for authentication:
- Add the principal RC4-HMAC to the key list:
$ ktutil
ktutil : addent -password -p [email protected] -k 1 -e
RC4-HMAC
Password for [email protected]: [enter your password]
- Add the principal aes256-cts to the key list:
ktutil : addent -password -p [email protected] -k 1 -e
aes256-cts
Password for info[email protected]: [enter your password]
- Add the principal aes128-cts to key list:
ktutil : addent -password -p [email protected] -k 1 -e
aes128-cts
Password for infou[email protected]: [enter your password]
- Write the current key list in the Kerberos V5 keytab file:
ktutil : wkt infouser.keytab
ktutil : quit
- Make sure permissions are correct:
$ chmod 600 infouser.keytab
- Test whether the generated keytab is correct:
$ kinit [email protected] -k -t infouser.keytab
- Now, the principal and keytab file can be passed with spark-submit (with yarn only):
spark-submit --keytab "infouser.keytab" --principal
"[email protected]" ...
- To do it programmatically, use:
UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(“[email protected]”, “infouser.keytab”);
//User principal has maximum life span, so renew accordingly use:
ugi.reloginFromKeytab(); //as per the need of the application