Enabling and Configuring Kerberos Authentication

This section provides information on enabling and configuring kerberos authentication for securing HDFS. Perform the tasks in the listed order:

 

Task

See
(Conditional) For Linux, configure the Kerberos Key Distribution Centre. Configuring Kerberos Key Distribution Centre in Linux

(Conditional) For Windows, set up your environment to configure Kerberos KDC.

 Setting Up Your Windows Environment to Configure Kerberos KDC

(Conditional) For Windows, create service and user principals for Kerberos ticket generation.

 Creating Service Principals for Kerberos Ticket Generation in Windows

Configure HDFS services to use keytabs.

 Configuring HDFS Services to Use Keytabs

Configuring Kerberos Key Distribution Centre in Linux

To configure Kerberos Key Distribution Centre (KDC):

  1. Install MIT Kerberos on any of the Kubernetes nodes in the CDF cluster. Refer to the open source documentation to perform this step.

  2. As a root user, log in to the node where MIT Kerberos is installed, then create a service principal for HDFS:

    $kadmin.local
    $addprinc hdfs/<DATANODE_HOST>

  3. Generate the keytab for the service principal created in step 2:

    $kadmin.local
    $ktadd -k hdfs/<DATANODE_HOST>.keytab hdfs/<DATANODE_HOST>

  4. As a root user, log in to the node where MIT Kerberos is installed, then create a service principal for HTTP:

    $addprinc HTTP/<DATANODE_HOST>

  5. Generate the keytab for the service principal created in step 4:

    $kadmin.local
    $ktadd -k HTTP/<DATANODE_HOST>.keytab HTTP/<DATANODE_HOST>

  6. Repeat steps 2 to 5 for all nodes where HDFS datanodes are active.

  7. As a root user, log in to the node where MIT Kerberos is installed, then create a user principal for HDFS:

    $kadmin.local 
$addprinc hdfs

Setting Up Windows Environment to Configure Kerberos KDC

The steps provided in this section have been verified on the Windows 2016 server.

To set up your Windows environment to configure Kerberos KDC, do the following:

  1. If you have not deployed the Active Directory Domain Controller in your environment, then deploy a Windows server and promote the server as the Active Directory Domain Controller. Refer to the Microsoft documentation to perform this activity.

  2. If you have deployed the Active Directory Domain Controller and Intelligence in the same domain, proceed to step 4.

  3. If you have deployed the Active Directory Domain Controller and Intelligence in different domains, add the Active Directory Domain Controller DNS entry in the Kubernetes environment:

    1. Log in to the node in the CDF cluster as a root user and run the following command to edit the DNS-hosts-configmap file:

      kubectl edit cm dns-hosts-configmap -n kube-system

      Your terminal looks as follows:

      apiVersion: v1

      data:

        dns-hosts-key: ""

      kind: ConfigMap

      metadata:

        creationTimestamp: 2018-10-19T05:28:05Z

        name: dns-hosts-configmap

        namespace: kube-system

    2. Update the DNS entries and save the file. This change will take effect in 20 seconds automatically.

      For example, add the following DNS entries:

      dns-hosts-key: |

       192.0.2.0 myhost.mydomain.com

       192.0.2.1 myhost.mydomain2.com

    3. Your terminal looks as follows:

      apiVersion: v1

       data:

        dns-hosts-key: |

         192.0.2.0 myhost.mydomain.com

         192.0.2.1 myhost.mydomain.com

       kind: ConfigMap

       metadata:

         creationTimestamp: 2018-10-19T05:28:05Z

  4. (Recommended) Perform the following steps to ensure that you select strong encryption algorithm types for Kerberos in the Active Directory Domain controller:

    1. In Local Group Policy Editor, navigate to the following location:

      Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

    2. Select Network Security: Configure encryption types allowed for Kerberos.

    3. Right-click Network Security: Configure encryption types allowed for Kerberos and click Properties.

    4. In the pop-up window, under the Local Security Setting tab, select the following check boxes:

      • AES128_HMAC_SHA1

      • AES256_HMAC_SHA1

      • Future encryption types

    5. Click Apply and then click OK.

    6. Launch the command prompt in the Active Directory Domain Controller and execute the following command to update the global policy:

      /gpupdate

Creating Service Principals for Kerberos Ticket Generation in Windows

To create service principals for Kerberos ticket generation:

  1. Create a service principal account for HDFS in the Windows Active Directory domain controller:

    1. Click Active Directory Users and Computers > domain name (example: intelligence.lab) > right-click Users > New > User.

    2. In New Object - User, specify your first, last, and full name.

    3. Specify User logon name as hdfs/<DATANODE_HOST> and click Next.
    4. Specify and confirm your password. Ensure that you select Password Never Expires and click Next.
    5. Click Active Directory Users and Computers > domain name (example: intelligence.lab) > right-click Users (The user created in the above steps) > Properties.

    6. Click Account, and under Account Options:, select all of the following:

      • This account supports Kerberos AES 128 bit encryption.

      • This account supports Kerberos AES 256 bit encryption.

      • Do not require Kerberos preauthentication.

    7. Click Apply and then click OK.

  2. Create a service principal account for HTTP in the Windows Active Directory domain controller:

    1. Click Active Directory Users and Computers > domain name (example: intelligence.lab) > right-click Users > New > User.

    2. In New Object - User, specify your first, last, and full name.

    3. Specify User logon name as http/<DATANODE_HOST> and click Next.
    4. Specify and confirm your password. Ensure that you select Password Never Expires and click Next.
    5. Click Active Directory Users and Computers > domain name (example: intelligence.lab) > right-click Users (The user created in the above steps) > Properties.

    6. Click Account, and under Account Options, select all of the following:

      • This account supports Kerberos AES 128 bit encryption.

      • This account supports Kerberos AES 256 bit encryption.

      • Do not require Kerberos preauthentication.

    7. Click Apply and then click OK.
  3. Repeat steps 1 and 2 for all the worker nodes where HDFS datanodes are active.

  4. For the service principal account created for HDFS, generate the keytabs by running the following commands in the Windows command prompt:

    ktpass /out hdfs_<DATANODE_HOST>.keytab /princ hdfs/<DATANODE_HOST>@<Domain name of domain controller> /mapuser <DATANODE_HOST without domain name>@<Domain name of domain controller> /pass <password> /crypto all /ptype KRB5_NT_PRINCIPAL

  5. For the service principal account created for HTTP, generate the keytabs by running the following commands in the Windows command prompt:

    ktpass /out http_<DATANODE_HOST>.keytab /princ http/<DATANODE_HOST>@<Domain name of domain controller> /mapuser <DATANODE_HOST without domain name>@<Domain name of domain controller> /pass <password> /crypto all /ptype KRB5_NT_PRINCIPAL

  6. Repeat steps 4 and 5 for all the worker nodes where HDFS datanodes are active.

Configuring HDFS Services to Use Keytabs

To configure HDFS services to use keytabs:

  1. For Datanode

    1. Launch a terminal session and log in to the Kubernetes worker node where the HDFS datanode is active.

    2. Copy the http<DATANODE_HOST>.keytab and hdfs<DATANODE_HOST>.keytabkeytab files from the Windows Active Directory domain controller and paste them in the /opt/arcsight/k8s-hostpath-volume/interset/hdfs/keytabs directory of the Kubernetes worker node where the HDFS datanode is active, then rename them as http.keytab and hdfs.keytab.

    3. Repeat step a and step b for all the HDFS datanodes that are active in the Kubernetes cluster.

    4. For all the keytab files present in the HDFS datanodes of the Kubernetes cluster, provide the permissions of the users who have privilege to NFS, then navigate to the /opt/arcsight/k8s-hostpath-volume/interset/hdfs/keytabs directory and set:

      chmod 600 *

      chown UID:GID *

      For example:

      chmod 600 hdfs.keytab

      chown 1999:1999 hdfs.keytab

  2. For Namenode

    1. Launch a terminal session and log in to the Kubernetes node where NFS is created.

    2. Copy the http<DATANODE_HOST>.keytab and hdfs<DATANODE_HOST>.keytabkeytab files from the Windows Active Directory domain controller and paste them in the /opt/arcsight-nfs/arcsight-volume/interset/hdfs/namenode/keytabs directory of the Kubernetes node where NFS is created, then rename them as http.keytab and hdfs.keytab

      You must generate the above keytab files for the Kubernetes worker node labeled as intelligence-namenode:yes.

    3. Repeat step a and step b for all the namenodes active in the Kubernetes cluster.

    4. For all the keytab files present in the HDFS datanodes of the Kubernetes cluster, provide the permissions of the users who have privilege to NFS, then navigate to the /opt/arcsight/k8s-hostpath-volume/interset/hdfs/keytabs directory and set:

      chmod 600 *

      chown UID:GID *

      For example:

      chmod 600 hdfs.keytab
      chown 1999:1999 hdfs.keytab