Authenticate Using Kerberos¶
This tutorial demonstrates integrating an Okera cluster with Kerberos, with end-to-end authentication enabled. This process generally involves the following steps:
- Create a keytab with two principals
- one with its service name as
okera
- a second with its service name as
HTTP
. - Set the keytab and principal configs in the environment.
The tutorial breaks the above steps into the following:
Prerequisites¶
This section lists out the necessary requirements to enable Kerberos for Okera.
- KDC Make sure that you have a KDC set up and available, and can either request for credentials, or have access to the KDC to set up credentials yourself.
- Ensure client-side Kerberos packages are installed
Try running
kinit
andklist
and make sure these utilities are installed. - Kerberos Configuration File This file is known as the krb5.conf file and this contains the information needed to authenticate a client against a KDC.
- Make sure that this file exists in the location /etc/krb5.conf.
Creating the Kerberos Principals and Keytab Files.¶
In order to allow Okera's internal services to be authenticated end-to-end, we need to create the following 2 Kerberos principals, and add them to a single keytab file:
-
Okera principal
This is of the format
okera/<instance>@REALM
. For example, this can beokera/okera-service@OKERA.TEST
-
HTTP principal
This is of the format
HTTP/<instance>@REALM
. For example, this can beHTTP/okera-service@OKERA.TEST
To do this, log in with kadmin, and run the following command for each of the principals that needs to be created:
addprinc -randkey <principal_name>`
Once the principals are created, create a single keytab file which contains both principals.
Log in to the kadmin
utility and run the following command:
ktadd -kt <keytab_file_name> <principal_name_1> <principal_name_2>`
-
Log in to your
kadmin
tool.$ sudo kadmin.local kadmin.local:
-
Make sure the required principals don't exist.
kadmin.local: listprincs prim1/inst1@OKERA.TEST prim2/inst2@OKERA.TEST prim2/inst3@OKERA.TEST ```
-
Create the okera principal.
kadmin.local: addprinc -randkey okera/okera-service
- If you don't want a password, use the
-randkey
flag. -
If you would rather have a password, don't use the flag.
WARNING: no policy specified for okera/okera-service@OKERA.TEST; defaulting to no policy Principal "okera/okera-service@OKERA.TEST" created. kadmin.local:
- If you don't want a password, use the
-
Create the http principal.
kadmin.local: addprinc -randkey HTTP/okera-service WARNING: no policy specified for HTTP/okera-service@OKERA.TEST; defaulting to no policy Principal "okera/okera-service@OKERA.TEST" created. kadmin.local:
-
Create the keytab file.
kadmin.local: ktadd -kt okera.keytab okera/okera-service HTTP/okera-service Entry for principal okera/okera-service with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:okera.keytab. Entry for principal HTTP/okera-service with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:okera.keytab.
-
Exit the kadmin utility
kadmin.local: q $
Verifying Keytab File Principles¶
Verify that both the principals are present in the keytab file.
$ klist -kt <KEYTAB_FILE_NAME>
For example, if the keytab file is called okera.keytab, the command looks like this:
$ klist -kt okera.keytab
Keytab name: FILE:dumdum.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
4 03/02/2017 13:27:57 okera/okera-service@OKERA.TEST
4 03/02/2017 13:27:57 HTTP/okera-service@OKERA.TEST
Setting the Environment Variables¶
Set the following settings in your configuration file (e.g. odas.yaml
):
KERBEROS_PRINCIPAL
Set this to the Okera principal created above.KERBEROS_KEYTAB_FILE
Set this to the path of the keytab file. This can be a local (e.g.file:///path/to/file
) or remote (s3) path.KERBEROS_HTTP_PRINCIPAL
Set this to the HTTP principal if the principal is non-standard. This is not required if the principals were created with the steps above.
KERBEROS_PRINCIPAL: <principal>
KERBEROS_KEYTAB_FILE: <full_path_to_keytab_file>
Example:
KERBEROS_PRINCIPAL: okera/okera-service
KERBEROS_KEYTAB_FILE: okera.keytab
More Information¶
Other docs that might be helpful are: