How to manage users in Oracleto BDA using kerberos authentication

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

setup kerbros for a user
Note: Make sure to run enable the service on Solaris client

svcadm enable ktkt_warn

Extend the time to 1460d (4 years)

/var/kerberos/krb5kdc/kdc.conf
[..]
  max_life = 24h 0m 0s
  max_renewable_life = 1460d 0h 0m 0s
[..]

And
/etc/krb5.conf
[..]
[libdefaults]
[..]
 ticket_lifetime = 24h
 renew_lifetime = 1460d
[..]

Update on how to create a service or krb ticket

# Connect local # Node one or two
kadmin.local

# Add new user (supply password)
addprinc usera/n04.domain.com@DEVTECH101.COM
# Add new user to keytab
ktadd -k /tmp/usera.keytab usera/n04.domain.com@DEVTECH101.COM


# Add user (no password will be asked)
addprinc -randkey usera/n04.domain.com@DEVTECH101.COM
# Create keytab (no password)
xst -norandkey -k /tmp/usera.keytab usera/n04.domain.com@DEVTECH101.COM

Modify to allow 7 day renew expire ticket

modprinc -maxrenewlife 1week cognos/n04.domain.com@DEVTECH101.COM

# Verify
getprinc cognos/n04.domain.com@DEVTECH101.COM

# Modify globally for all new users
modprinc -maxlife 1days -maxrenewlife 7days +allow_renewable krbtgt/DEVTECH101.COM

Manuel add crypt types to add a krb ticket

#create user and password
kadmin.local
addprinc usera/n04.domain.com@DEVTECH101.COM

# get ticket for longer time
kinit -f -l 3d usera@DEVTECH101.COM

# Genrate a keytab file
ktutil
ktutil:  addent -password -p usera/n04.domain.com@DEVTECH101.COM -k 1 -e rc4-hmac
Password for usera@DEVTECH101.COM: 
ktutil:  addent -password -p usera/n04.domain.com@DEVTECH101.COM -k 1 -e aes256-cts
Password for usera/n04.domain.com@DEVTECH101.COM: 
ktutil:  wkt usera.keytab
ktutil:  quit

# User example
addent -password -p userb/n04.domain.com@DEVTECH101.COM -k 1 -e rc4-hmac 
addent -password -p userb/n04.domain.com@DEVTECH101.COM -k 1 -e aes256-cts
wkt userb.keytab

addent -password -p userc/n04.domain.com@DEVTECH101.COM -k 1 -e rc4-hmac
addent -password -p userc/n04.domain.com@DEVTECH101.COM -k 1 -e aes256-cts
wkt userc.keytab

In order for you to connect with kerbros you will need to configure your local (client) to get a krb ticket this includes using a keytab file.

Depending on the OS (source system coming from), please send me the host names so I can just add the below config to the krb.conf file.
Below is the krb5.conf config, if its a Solaris client I will just add it if its a windows client wil have to see what tools to use to get a ticket.

# Create a krb5.conf
/etc/krb5/krb5.conf
----------------
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DEVTECH101.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 1460d
 forwardable = yes

[realms]
 DEVTECH101.COM = {
  kdc = n01.domain.com:88
  kdc = n02.domain.com:88
  admin_server = n01.domain.com:749
  default_domain = domain.com
 }

[domain_realm]
 .domain.com = DEVTECH101.COM
 domain.com = DEVTECH101.COM

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

now as the user you connect you need to checkout a krb ticket

kinit -k -t user_name.keytab user_name@DEVTECH101.COM

# For example
kinit -k -t usera.keytab usera@DEVTECH101.COM

Once complete you can now issue any curl commends on the bda

# Example 1 Uses the NameNode port 1006 (in kerbors the original port 50075 is now 1006),
First get a token from namenode
token=`curl -s --negotiate -u : "http://n02.domain.com:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN"`
token=`echo $token | grep -Po 'urlString":"K[^"]*'`

Then use the token to upload to any-node

kinit -kt usera.keytab && usera@DEVTECH101.COM {
       token=`curl -s --negotiate -u : "http://n02.domain.com:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN"`
    token=`echo $token | grep -Po 'urlString":"K[^"]*'`
    curl --negotiate -i -L -u:usera -X PUT -T abc.pdf "http://n03.domain.com:1006/webhdfs/v1/user/usera/abc.pdf?delegation=${token}&op=CREATE&namenoderpcaddress=bda-cluster1-ns&overwrite=false"
}

A bit more of a manual example is first getting the delegation/location, then use that

# Get delegation
curl --negotiate -i -L -u:usera -X PUT "http://n02.domain.com:50070/webhdfs/v1/user/usera/abc.pdf?user.name=usera&op=CREATE"
HTTP/1.1 401 Authentication required
Date: Wed, 20 Jan 2016 14:03:42 GMT
Pragma: no-cache
Date: Wed, 20 Jan 2016 14:03:42 GMT
Pragma: no-cache
WWW-Authenticate: Negotiate
Set-Cookie: hadoop.auth=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; HttpOnly
Content-Length: 0
Server: Jetty(6.1.26.cloudera.4)

HTTP/1.1 307 TEMPORARY_REDIRECT
Cache-Control: no-cache
Expires: Wed, 20 Jan 2016 14:03:42 GMT
Date: Wed, 20 Jan 2016 14:03:42 GMT
Pragma: no-cache
Expires: Wed, 20 Jan 2016 14:03:42 GMT
Date: Wed, 20 Jan 2016 14:03:42 GMT
Pragma: no-cache
WWW-Authenticate: Negotiate oYH1MIHyoAMKAQChCwYJKoZIhvcSAQICom4EbGBqBgkqhkiG9xIBAgICAG9bMFmgAwIBBaEDAgEPok0wS6ADAgESokQEQvl+tOyPGmUgvHbeBIknEKeJV3pieK95/AG9hexOhSwBO1V8/Wu90KQ0bFJa9svqUaGLQdK9uY6JQqONCwyy2oFlS6NuBGxgagYJKoZIhvcSAQICAgBvWzBZoAMCAQWhAwIBD6JNMEugAwIBEqJEBEL5frTsjxplILx23gSJJxCniVd6YnivefwBvYXsToUsATtVfP1rvdCkNGxSWvbL6lGhi0HSvbmOiUKjjQsMstqBZUs=
Set-Cookie: hadoop.auth="u=usera&p=usera@DEVTECH101.COM&t=kerberos&e=1453334622762&s=+PDlr3uq/hJsR3CyGL9ehUSX9a0="; Path=/; Expires=Thu, 21-Jan-2016 00:03:42 GMT; HttpOnly
Location: http://n04.domain.com:1006/webhdfs/v1/user/usera/abc.pdf?op=CREATE&delegation=HAAEZWxpawRlbGlrAIoBUl9ZISuKAVKDZaUrFg0UMlGzrp9qrXLCUolOJUyq3UgIBTgSV0VCSERGUyBkZWxlZ2F0aW9uEjE5Mi4xNjguMTAuNTI6ODAyMA&namenoderpcaddress=bda-cluster1-ns&overwrite=false
Content-Type: application/octet-stream
Content-Length: 0
Server: Jetty(6.1.26.cloudera.4)

# Use the delegation/location above to final upload

curl --negotiate -i -L -u:usera -X PUT -T abc.pdf "http://n04.domain.com:1006/webhdfs/v1/user/usera/abc2.pdf?op=CREATE&delegation=HAAEZWxpawRlbGlrAIoBUl9ZISuKAVKDZaUrFg0UMlGzrp9qrXLCUolOJUyq3UgIBTgSV0VCSERGUyBkZWxlZ2F0aW9uEjE5Mi4xNjguMTAuNTI6ODAyMA&namenoderpcaddress=bda-cluster1-ns&overwrite=false"

# Or do it in one step, but use the active namenode
# Example 2 Uses the NameNode port 50070

# Verify your files, once things work
curl -i --negotiate -L -u :usera "http://n02.domain.com:50070/webhdfs/v1/user/usera?op=LISTSTATUS"
HTTP/1.1 401 Authentication required
Cache-Control: must-revalidate,no-cache,no-store
Date: Tue, 19 Jan 2016 22:39:14 GMT
Pragma: no-cache
Date: Tue, 19 Jan 2016 22:39:14 GMT
Pragma: no-cache
Content-Type: text/html; charset=iso-8859-1
WWW-Authenticate: Negotiate
Set-Cookie: hadoop.auth=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; HttpOnly
Content-Length: 1413
Server: Jetty(6.1.26.cloudera.4)

HTTP/1.1 200 OK
Cache-Control: no-cache
Expires: Tue, 19 Jan 2016 22:39:14 GMT
Date: Tue, 19 Jan 2016 22:39:14 GMT
Pragma: no-cache
Expires: Tue, 19 Jan 2016 22:39:14 GMT
Date: Tue, 19 Jan 2016 22:39:14 GMT
Pragma: no-cache
Content-Type: application/json
WWW-Authenticate: Negotiate oYH1MIHyoAMKAQChCwYJKoZIhvcSAQICom4EbGBqBgkqhkiG9xIBAgICAG9bMFmgAwIBBaEDAgEPok0wS6ADAgESokQEQkqjcRxqI7uDqqQ3KZdKEE7vDGrs8bhTBxW0+/331QrRQO4Tn0IxNBnYu/DryUk3or41sG3EPRdD2SAAsCuBcXPHl6NuBGxgagYJKoZIhvcSAQICAgBvWzBZoAMCAQWhAwIBD6JNMEugAwIBEqJEBEJKo3EcaiO7g6qkNymXShBO7wxq7PG4UwcVtPv999UK0UDuE59CMTQZ2Lvw68lJN6K+NbBtxD0XQ9kgALArgXFzx5c=
Set-Cookie: hadoop.auth="u=usera&p=usera@DEVTECH101.COM&t=kerberos&e=1453279154565&s=QH+ygY/uUnz890UhU3rStH59W0M="; Path=/; Expires=Wed, 20-Jan-2016 08:39:14 GMT; HttpOnly
Transfer-Encoding: chunked
Server: Jetty(6.1.26.cloudera.4)

{"FileStatuses":{"FileStatus":[
{"accessTime":0,"blockSize":0,"childrenNum":0,"fileId":175495,"group":"usera","length":0,"modificationTime":1451001600029,"owner":"usera","pathSuffix":".Trash","permission":"755","replication":0,"storagePolicy":0,"type":"DIRECTORY"},
{"accessTime":0,"blockSize":0,"childrenNum":0,"fileId":175613,"group":"usera","length":0,"modificationTime":1450906810369,"owner":"usera","pathSuffix":".staging","permission":"700","replication":0,"storagePolicy":0,"type":"DIRECTORY"},
{"accessTime":1452201840225,"blockSize":268435456,"childrenNum":0,"fileId":175512,"group":"usera","length":57,"modificationTime":1450905113409,"owner":"usera","pathSuffix":"bigdata_test.csv","permission":"644","replication":3,"storagePolicy":0,"type":"FILE"},
{"accessTime":1452101232190,"blockSize":268435456,"childrenNum":0,"fileId":221097,"group":"usera","length":1269517,"modificationTime":1452101232207,"owner":"usera","pathSuffix":"dest_file_name.pdf","permission":"755","replication":3,"storagePolicy":0,"type":"FILE"},
{"accessTime":0,"blockSize":0,"childrenNum":0,"fileId":175609,"group":"usera","length":0,"modificationTime":1450906810771,"owner":"usera","pathSuffix":"oozie-oozi","permission":"755","replication":0,"storagePolicy":0,"type":"DIRECTORY"}
]}}

In one step using the namenode

curl --negotiate -i -L -u:usera -X PUT -T abc.pdf "http://n02.domain.com:50070/webhdfs/v1/user/usera/abc.pdf?user.name=usera&op=CREATE&user.name=usera&namenoderpcaddress=bda-cluster1-ns&overwrite=false"
HTTP/1.1 100 Continue

HTTP/1.1 401 Authentication required
Date: Wed, 20 Jan 2016 13:49:34 GMT
Pragma: no-cache
Date: Wed, 20 Jan 2016 13:49:34 GMT
Pragma: no-cache
WWW-Authenticate: Negotiate
Set-Cookie: hadoop.auth=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; HttpOnly
Content-Length: 0
Server: Jetty(6.1.26.cloudera.4)

HTTP/1.1 100 Continue

HTTP/1.1 307 TEMPORARY_REDIRECT
Cache-Control: no-cache
Expires: Wed, 20 Jan 2016 13:49:34 GMT
Date: Wed, 20 Jan 2016 13:49:34 GMT
Pragma: no-cache
Expires: Wed, 20 Jan 2016 13:49:34 GMT
Date: Wed, 20 Jan 2016 13:49:34 GMT
Pragma: no-cache
WWW-Authenticate: Negotiate oYH1MIHyoAMKAQChCwYJKoZIhvcSAQICom4EbGBqBgkqhkiG9xIBAgICAG9bMFmgAwIBBaEDAgEPok0wS6ADAgESokQEQkqRAn8sayDiMVVLwMUcnzFeVMG7r+edaMPvrkJh0hEbMzrP7v2El8nRHflezhpaaY2XIJnMixGqaP38gH2NGzjP1KNuBGxgagYJKoZIhvcSAQICAgBvWzBZoAMCAQWhAwIBD6JNMEugAwIBEqJEBEJKkQJ/LGsg4jFVS8DFHJ8xXlTBu6/nnWjD765CYdIRGzM6z+79hJfJ0R35Xs4aWmmNlyCZzIsRqmj9/IB9jRs4z9Q=
Set-Cookie: hadoop.auth="u=usera&p=usera@DEVTECH101.COM&t=kerberos&e=1453333774561&s=e0sldriEi3/YPPZaZnPSnbzeFhA="; Path=/; Expires=Wed, 20-Jan-2016 23:49:34 GMT; HttpOnly
Location: http://n01.domain.com:1006/webhdfs/v1/user/usera/abc.pdf?op=CREATE&delegation=HAAEZWxpawRlbGlrAIoBUl9ML-KKAVKDWLPiFQ0Ug2xFWWtesg9CMqGGGZ22zPozvLISV0VCSERGUyBkZWxlZ2F0aW9uEjE5Mi4xNjguMTAuNTI6ODAyMA&namenoderpcaddress=bda-cluster1-ns&overwrite=false
Content-Type: application/octet-stream
Content-Length: 0
Server: Jetty(6.1.26.cloudera.4)

HTTP/1.1 100 Continue

HTTP/1.1 201 Created
Cache-Control: no-cache
Expires: Wed, 20 Jan 2016 13:49:34 GMT
Date: Wed, 20 Jan 2016 13:49:34 GMT
Pragma: no-cache
Expires: Wed, 20 Jan 2016 13:49:34 GMT
Date: Wed, 20 Jan 2016 13:49:34 GMT
Pragma: no-cache
Location: webhdfs://bda-cluster1-ns/user/usera/abc.pdf
Content-Type: application/octet-stream
Content-Length: 0
Server: Jetty(6.1.26.cloudera.4)

References
keytab Reference
https://kb.iu.edu/d/aumh
kerberos delegation
http://www.adaltas.com/blog/2013/09/25/webhdfs-security-kerberos-delegation-tokens/

Leave a Reply

avatar
3000
  Subscribe  
Notify of