Kerberos Configuration

Overview
vApp
Overview
Protecting the vApp with MIT Kerberos
Protecting the vApp with AD Kerberos
Hadoop
Overview
Hortonworks
Cloudera
MapR
SAS LASR Analytic Server

Overview

The Kerberos topology contains multiple tiers, all of which are configured to communicate with the Kerberos Key Distribution Center (KDC) to allow authentication to flow from the SAS Data Loader for Hadoop client machine through to the Hadoop cluster. When you log on to the client machine, the KDC issues a ticket granting ticket (TGT), which is time stamped. This TGT is used by the browser to issue a ticket to access SAS Data Loader for Hadoop.
Two different types of Kerberos systems are available: AD (Windows Active Directory) and MIT. You might have either a realm for only AD Kerberos or mixed AD and MIT realms. A realm for only AD Kerberos protects the client machine, the vApp virtual machine, and the Hadoop cluster all through the AD domain controller. A realm for only AD Kerberos is simpler because it requires no further client configuration.
In a common configuration of mixed realms, AD Kerberos protects both the client machine and the vApp virtual machine, whereas MIT Kerberos protects only the Hadoop cluster. The mixed realms can be configured such that AD Kerberos protects only the client machine, whereas MIT Kerberos protects both the Hadoop cluster and the vApp virtual machine. Which realm configuration is in use determines how you must configure Kerberos.

vApp

Overview

You must generate a Service Principal Name (SPN) and Kerberos keytab for the host, SAS, and HTTP service instances.
The following SPNs must be created to allow ticket delegation, where hostname represents the host name that you have created and krbrealm represents your Kerberos realm:
  • host/hostname@krbrealm.
  • SAS/hostname@krbrealm. This allows single sign-on from the mid-tier to the SAS Object Spawner.
  • HTTP/hostname@krbrealm. This allows single sign-on with tc Server and the SASLogon web application.

Protecting the vApp with MIT Kerberos

When protecting the vApp using MIT Kerberos, you must configure the client machine to acquire tickets for the vApp from the correct realm. To do this, you must run the ksetup command to add a KDC and to assign the vApp host name to that KDC. For example, if the KDC host is server2.unx.zzz.com and the host name is dladtest1.vapps.zzz.com, issue the following commands: 
ksetup /AddKdc DMM.KRB.ZZZ.COM server2.unx.zzz.com
ksetup /AddHostToRealmMap dladtest1.vapps.zzz.com DMM.KRB.SAS.COM
On a machine that is configured to communicate with the MIT Kerberos realm, generate the three SPNs and corresponding keytabs. For example, if the fully qualified domain name is dladtest1.vapps.zzz.com issue the following commands: 
$ kadmin -p user2/admin -kt /opt/keytabs/admin/user2.dmm.keytab 
  kadmin: addprinc -randkey +ok_as_delegate host/dladtest1.vapps.zzz.com
  kadmin: ktadd -k $hostname/host.dladtest1.keytab host/dladtest1.vapps.zzz.com
  kadmin: addprinc -randkey +ok_as_delegate SAS/dladtest1.vapps.zzzcom
  kadmin: ktadd -k $hostname/SAS.dladtest1.keytab SAS/dladtest1.vapps.zzz.com
  kadmin: addprinc -randkey +ok_as_delegate HTTP/dladtest1.vapps.zzz.com
  kadmin: ktadd -k $hostname/HTTP.dladtest1.keytab HTTP/dladtest1.vapps.zzz.com
Note: You must enable the 
ok_as_delegate
flag to allow ticket delegation in the mid-tier.

Protecting the vApp with AD Kerberos

To generate SPNs and keytabs in AD Kerberos on Windows Server 2012, you must have administrator access to the Windows domain and follow these steps:
  1. Create SPN users:
    1. Launch the Server Manager on the domain controller.
    2. Select Toolsthen selectActive Directory Users and Computers.
    3. Select <domain name>then selectManaged Service Accounts.
    4. In the right pane, click Newthen selectUser.
    5. In the User logon name field, enter host/fully-qualified-hostname. For example, enter host/dladtest1.vapps.zzz.com, and then click Next.
    6. Enter and confirm a password.
    7. If you are configuring a server with an operating system older than Windows 2000, change the logon name to HTTP/simple-hostname. For example, enter host/dladtest1.
    8. Deselect User must change password at next logon and the select Password never expires.
    9. Click Finish.
    10. Repeat the previous steps for SAS and HTTP SPN users.
  2. Create SPNs for each SPN user. At a command prompt on the domain controller, enter the following commands using a fully qualified host name and simple host name. For example, you might use dladtest1.vapps.zzz.com and dladtest1: 
    > setspn -A host/dladtest1.vapps.zzz.com HTTP_dladtest1
> setspn -A SAS/dladtest1.vapps.zzz.com SAS_dladtest1
> setspn -A HTTP/dladtest1.vapps.zzz.com host_dladtest1
  3. Authorize ticket delegation:
    1. Launch the Server Manager on the domain controller.
    2. Select Viewthen selectAdvanced Features.
    3. Select host/<vapp> userthen selectProperties.
    4. On the Delegation tab, select Trust this user for delegation to any service (Kerberos only), and then click OK.
    5. Select host/<vapp> userthen selectProperties.
    6. On the Attribute Editor tab, locate the msDS-KeyVersionNumber attribute. Record this number.
    7. Repeat the previous steps to authorize ticket delegation for the SAS and HTTP users.
  4. Create keytabs for each SPN. For UNIX, continue with this step. For Windows, skip to Step 5.
    1. At a command prompt, use the ktutil utility to create keytabs. Enter the following commands using a fully qualified host name, the realm for your domain, the password that you created, and the msDS-KeyVersionNumber. In the following host SPN keytab example, dladtest1.vapps.zzz.com, PROXY.KRB.ZZZ.COM, Psword, and -k 2 -e arcfour-hmac are used for these values: 
      ktutil
ktutil:  addent -password -p host/dladtest1.vapps.zzz.com@PROXY.KRB.ZZZ.COM -k 2 -e arcfour-hmac
Psword for host/dladtest1.vapps.zzz.com@PROXY.KRB.ZZZ.COM :
ktutil:  addent -password -p host/dladtest1.vapps.zzz.com@PROXY.KRB.ZZZ.COM -k 2 -e aes128-cts-hmac-sha1-96
Psword for host/dladtest1.host.zzz.com@PROXY.KRB.ZZZ.COM :
ktutil:  addent -password -p host/dladtest1.vapps.zzz.com@PROXY.KRB.ZZZ.COM -k 2 -e aes256-cts-hmac-sha1-96
Psword for host/dladtest1.vapps.zzz.com@PROXY.KRB.ZZZ.COM :
ktutil:  wkt host.dladtest1.keytab
ktutil:  quit
    2. Repeat the previous steps to create the SAS and HTTP keytabs.
  5. To create keytabs for each SPN on Windows, follow these steps:
    1. At a command prompt, use the ktpass utility to create keytabs. Enter the following commands using a fully qualified host name, the realm for your domain, and any password (it does not have to be the password that you created earlier). In the following host SPN keytab example, dladtest1.vapps.zzz.com, NA.ZZZ.COM, and Psword are used for these values: 
      ktpass.exe -princ host/dladtest1.vapps.zzz.com@NA.ZZZ.COM -mapUser Server\dladtest1-host -pass "Psword" 
         -pType KRB5_NT_PRINCIPAL -out dladtest1-host.keytab -crypto All
    2. Repeat the previous steps to create the SAS and HTTP keytabs.

Hadoop

Overview

The Hadoop cluster must be configured for Kerberos according to the instructions provided for the specific distribution that you are using.

Hortonworks

You must make the following specific change for Hortonworks: 
* hive.server2.enable.doAs = true
When a Hortonworks cluster is protected by MIT Kerberos, you must set auth_to_local as follows: 
RULE:[1:$1@$0](.*@\QAD_DOMAIN_REALM\E$)s/@\QAD_DOMAIN_REALM\E$//
RULE:[2:$1@$0](.*@\QAD_DOMAIN_REALM\E$)s/@\QAD_DOMAIN_REALM\E$//
RULE:[1:$1@$0](.*@\QMIT_DOMAIN_REALM\E$)s/@\QMIT_DOMAIN_REALM\E$//
RULE:[2:$1@$0](.*@\QMIT_DOMAIN_REALME$)s/@\QMIT_DOMAIN_REALM\E$// 
DEFAULT
* hadoop.proxyuser.HTTP.hosts = *
* hadoop.proxyuser.HTTP.groups = *
* hadoop.proxyuser.hive.groups = *

Cloudera

When a Cloudera cluster is protected by MIT Kerberos, add AD_DOMAIN_REALM to Trusted Kerberos Realms under the HDFS configuration.

MapR

MapR deployments do not support Kerberos.

SAS LASR Analytic Server

Integration of SAS Data Loader for Hadoop with a SAS LASR Analytic Server is possible only in an AD Kerberos environment. SAS Data Loader for Hadoop cannot be integrated with SAS LASR Analytic Server in a mixed AD and MIT Kerberos environment.
A public key is created as part of SAS Data Loader for Hadoop vApp configuration and is placed in the SAS Data Loader for Hadoop shared folder. This public key must also exist on the SAS LASR Analytic Server grid. The public key must be appended to the authorized_keys file in the .ssh directory of that user.
For more information about the SAS LASR Analytic Server administrator, see “LASR Analytic Servers Panel” in the SAS Data Loader for Hadoop: User’s Guide.
Copyright © SAS Institute Inc. All rights reserved.