Skip to content

Authenticate Using Kerberos

This tutorial demonstrates integrating an Okera cluster with Kerberos, with end-to-end authentication enabled. This process generally involves the following steps:

  1. Create a keytab with two principals
  2. one with its service name as okera
  3. a second with its service name as HTTP.
  4. Set the keytab and principal configs in the environment.

The tutorial breaks the above steps into the following:

Prerequisites

This section lists out the necessary requirements to enable Kerberos for Okera.

  • KDC Make sure that you have a KDC set up and available, and can either request for credentials, or have access to the KDC to set up credentials yourself.
  • Ensure client-side Kerberos packages are installed Try running kinit and klist and make sure these utilities are installed.
  • Kerberos Configuration File This file is known as the krb5.conf file and this contains the information needed to authenticate a client against a KDC.
  • Make sure that this file exists in the location /etc/krb5.conf.

Creating the Kerberos Principals and Keytab Files.

In order to allow Okera's internal services to be authenticated end-to-end, we need to create the following 2 Kerberos principals, and add them to a single keytab file:

  • Okera principal

    This is of the format okera/<instance>@REALM. For example, this can be okera/okera-service@OKERA.TEST

  • HTTP principal

    This is of the format HTTP/<instance>@REALM. For example, this can be HTTP/okera-service@OKERA.TEST

To do this, log in with kadmin, and run the following command for each of the principals that needs to be created: 

addprinc -randkey <principal_name>`

Once the principals are created, create a single keytab file which contains both principals. Log in to the kadmin utility and run the following command: 

ktadd -kt <keytab_file_name> <principal_name_1> <principal_name_2>`

  1. Log in to your kadmin tool.

    $ sudo kadmin.local
kadmin.local:

  2. Make sure the required principals don't exist.

    kadmin.local: listprincs
prim1/inst1@OKERA.TEST
prim2/inst2@OKERA.TEST
prim2/inst3@OKERA.TEST
```

  3. Create the okera principal.

    kadmin.local: addprinc -randkey okera/okera-service
    • If you don't want a password, use the -randkey flag.

    • If you would rather have a password, don't use the flag.

      WARNING: no policy specified for okera/okera-service@OKERA.TEST; defaulting to no policy Principal "okera/okera-service@OKERA.TEST" created. kadmin.local:

  4. Create the http principal.

    kadmin.local: addprinc -randkey HTTP/okera-service
WARNING: no policy specified for HTTP/okera-service@OKERA.TEST; defaulting to no policy
Principal "okera/okera-service@OKERA.TEST" created.
kadmin.local:

  5. Create the keytab file.

    kadmin.local: ktadd -kt okera.keytab okera/okera-service HTTP/okera-service
Entry for principal okera/okera-service with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:okera.keytab.
Entry for principal HTTP/okera-service with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:okera.keytab.

  6. Exit the kadmin utility

    kadmin.local: q
$

Verifying Keytab File Principles

Verify that both the principals are present in the keytab file. 

$ klist -kt <KEYTAB_FILE_NAME>

For example, if the keytab file is called okera.keytab, the command looks like this: 

$ klist -kt okera.keytab
Keytab name: FILE:dumdum.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   4 03/02/2017 13:27:57 okera/okera-service@OKERA.TEST
   4 03/02/2017 13:27:57 HTTP/okera-service@OKERA.TEST

Setting the Environment Variables

Set the following settings in your configuration file (e.g. odas.yaml):

  • KERBEROS_PRINCIPAL Set this to the Okera principal created above.
  • KERBEROS_KEYTAB_FILE Set this to the path of the keytab file. This can be a local (e.g. file:///path/to/file) or remote (s3) path.
  • KERBEROS_HTTP_PRINCIPAL Set this to the HTTP principal if the principal is non-standard. This is not required if the principals were created with the steps above.
KERBEROS_PRINCIPAL: <principal>
KERBEROS_KEYTAB_FILE: <full_path_to_keytab_file>

Example: 

KERBEROS_PRINCIPAL: okera/okera-service
KERBEROS_KEYTAB_FILE: okera.keytab

More Information

Other docs that might be helpful are: