Seamless Kerberos connection on Linux
About this task
You need to create 2 cron jobs using kinit and k5start utility. These utility perform following operations
- Renew the TGT before its renewable time. (k5start)
- Regenerate the token before expiry.(kinit)
Procedure
-
Renew TGT using the k5start utility. Add this to cron. . Please contact the Kerberos
administrator to get the values. a. Establish the Cloudera BigData instance
authentication using the Kerberos keytab file:
b. See https://linux.die.net/man/1/k5startk5start -f <KEYTABFILE> -K <minutes> -l <time> [-u <PRINCIPAL>] [-v] You can add this command in the corn job and make sure that the kerberos token is always alive.c. k5start -f <KEYTABFILE> -K <minutes> -l <time> [-u <PRINCIPAL>] [-v] -f keytab Authenticate using the keytab rather than asking for a password. A key for the client principal must be present in keytab. -K minutes Run in daemon mode to keep a ticket alive indefinitely. The program reawakens after minutes minutes, checks if the ticket will expire before or less than two minutes after the next scheduled check, and gets a new ticket if needed. If this option is not given but a command was given on the command line, an interval appropriate for the ticket lifetime will be used. -l time string Set the ticket lifetime. time string should be in a format recognized by the Kerberos libraries for specifying times, such as "10h" (ten hours) or "10m" (ten minutes). Known units are "s", "m", "h", and "d" -v Be verbose. This will print out a bit of additional information about what is being attempted and what the results are.For example: k5start -f <FilePath>/impala.keytab -K 1 -l 3m impala/quickstart.cloudera@CLOUDERA k5start -f <FilePath>/impala.keytab -K 1 -l 3m impala/quickstart.cloudera@CLOUDERA -v - Regenerate the Token using kinit utility. Add to cron so that ticket gets regenerated before it expires.
requests a ticket, obtained from a key in the local host's keytab file. The name and location of the keytab file may be specified with the -t keytab file option; otherwise the default name and location will be used. By default a host ticket is requested but any principal may be specified. On a KDC, the special keytab location KDB: can be used to indicate that kinit should open the KDC database and look up the key directly. This permits an administrator to obtain tickets as any principal that supports password-based authentication. e.g kinit -k -t /root/impala.keytab impala/quickstart.cloudera@CLOUDERAkinit -k -t <keytab_filename> <principal> Refer https://linux.die.net/man/1/kinit . -k [-t keytab_file]