Configuring Okera and Kerberos

This tutorial demonstrates integrating an Okera cluster with Kerberos, with end-to-end authentication enabled. This process generally involves the following steps:

  1. Create a keytab with two principals
    • one with its service name as okera
    • a second with its service name as HTTP.
  2. Set the keytab and principal configs in the environment.

The tutorial breaks the above steps into the following:

Prerequisites

This section lists out the necessary requirements to enable Kerberos for Okera.

  • KDC Make sure that you have a KDC set up and available, and can either request for credentials, or have access to the KDC to set up credentials yourself.
  • Ensure client-side Kerberos packages are installed Try running kinit and klist and make sure these utilities are installed.
  • Kerberos Configuration File This file is known as the krb5.conf file and this contains the information needed to authenticate a client against a KDC.
    • Make sure that this file exists in the location /etc/krb5.conf.

Creating the Kerberos Principals and Keytab Files.

In order to allow Okera’s internal services to be authenticated end-to-end, we need to create the following 2 Kerberos principals, and add them to a single keytab file:

  • Okera principal

    This is of the format okera/<instance>@REALM. For example, this can be okera/okera-service@OKERA.TEST

  • HTTP principal

    This is of the format HTTP/<instance>@REALM. For example, this can be HTTP/okera-service@OKERA.TEST

To do this, log in with kadmin, and run the following command for each of the principals that needs to be created:

addprinc -randkey <principal_name>`

Once the principals are created, create a single keytab file which contains both principals. Log into the kadmin utility and run the following command:

ktadd -kt <keytab_file_name> <principal_name_1> <principal_name_2>`
  1. Log into your kadmin tool.
    $ sudo kadmin.local
    kadmin.local:
    
  2. Make sure the required principals don’t exist.
    kadmin.local: listprincs
    
    prim1/inst1@OKERA.TEST
    prim2/inst2@OKERA.TEST
    prim2/inst3@OKERA.TEST
    
  3. Create the okera principal.
    kadmin.local: addprinc -randkey okera/okera-service
    
    • If you don’t want a password, use the -randkey flag.
    • If you would rather have a password, don’t use the flag.
    WARNING: no policy specified for okera/okera-service@OKERA.TEST; defaulting to no policy
    Principal "okera/okera-service@OKERA.TEST" created.
    kadmin.local:
    
  4. Create the http principal.
    kadmin.local: addprinc -randkey HTTP/okera-service
    
    WARNING: no policy specified for HTTP/okera-service@OKERA.TEST; defaulting to no policy
    Principal "okera/okera-service@OKERA.TEST" created.
    kadmin.local:
    
  5. Create the keytab file.
    kadmin.local: ktadd -kt okera.keytab okera/okera-service HTTP/okera-service
    
    Entry for principal okera/okera-service with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:okera.keytab.
    Entry for principal HTTP/okera-service with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:okera.keytab.
    
  6. Exit the kadmin utility
    kadmin.local: q
    $
    

Verifying Keytab File Principles

Verify that both the principals are present in the keytab file.

$ klist -kt <KEYTAB_FILE_NAME>

For example, if the keytab file is called okera.keytab, the command looks like this:

$ klist -kt okera.keytab
Keytab name: FILE:dumdum.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   4 03/02/2017 13:27:57 okera/okera-service@OKERA.TEST
   4 03/02/2017 13:27:57 HTTP/okera-service@OKERA.TEST

Setting the Environment Variables

Set the following environment variables:

  • OKERA_KERBEROS_PRINCIPAL Set this to the Okera principal created above.
  • OKERA_KERBEROS_KEYTAB_FILE Set this to the path of the keytab file. This can be a local or remote (s3) path.
  • OKERA_KERBEROS_HTTP_PRINCIPAL Set this to the HTTP principal if the principal is non-standard. This is not required if the principals were created with the steps above.
     export OKERA_KERBEROS_PRINCIPAL=<principal>
     export OKERA_KERBEROS_KEYTAB_FILE=<full_path_to_keytab_file>
    

    Example:

     export CEREBRO_KERBEROS_PRINCIPAL=okera/okera-service
     export OKERA_KERBEROS_KEYTAB_FILE=okera.keytab
    

More Information

Other docs that might be helpful are: