Kerberos Configuration

Overview

The Kerberos topology contains multiple tiers. They are configured to communicate with the Kerberos Key Distribution Center (KDC) to allow authentication to flow from the SAS Data Loader for Hadoop client machine through to the Hadoop cluster. When you log on to the client machine, the KDC issues a ticket granting ticket (TGT), which is time stamped. This TGT is used by the browser to issue a ticket to access SAS Data Loader for Hadoop.
Two different types of Kerberos systems are available: AD (Windows Active Directory) and MIT. You might have either a realm for only AD Kerberos or mixed AD and MIT realms. A realm for only AD Kerberos protects the client machine, the vApp virtual machine, and the Hadoop cluster all through the AD domain controller. A realm for only AD Kerberos is simpler because it requires less client configuration.
In a common configuration of mixed realms, AD Kerberos protects both the client machine and the vApp virtual machine, whereas MIT Kerberos protects only the Hadoop cluster. The mixed realms can be configured such that AD Kerberos protects only the client machine, whereas MIT Kerberos protects both the Hadoop cluster and the vApp virtual machine. Finally, it is possible to configure an all-MIT environment using the MIT Kerberos for Windows libraries to authenticate the client. Which realm configuration is in use determines how you must configure Kerberos.

vApp

Overview

You must generate a Service Principal Name (SPN) and Kerberos keytab for the host, SAS, and HTTP service instances.
The following SPNs must be created to allow ticket delegation, where hostname represents the host name that you have created and KRBREALM represents your Kerberos realm:
  • host/hostname@KRBREALM.
  • SAS/hostname@KRBREALM. This allows single sign-on from the middle tier to the SAS Object Spawner.
  • HTTP/hostname@KRBREALM. This allows single sign-on with the tc Server and the SASLogon web application.

Protecting the vApp with MIT Kerberos

When protecting the vApp using MIT Kerberos, the client machine must be configured to acquire tickets for the vApp from the correct realm. For more information, see the SAS Data Loader for Hadoop: vApp Deployment Guide. You must provide the name of the KDC server to the person configuring the client machine.
On a machine that is configured to communicate with the MIT Kerberos realm, generate the three SPNs and corresponding keytabs. For example, if the fully qualified domain name is dltest1.vapps.zzz.com issue the following commands:
$ kadmin -p user2/admin -kt /home/user2/user2_admin.keytab 
  kadmin: addprinc -randkey +ok_as_delegate host/dltest1.vapps.zzz.com
  kadmin: ktadd -k $hostname/host.dltest1.keytab host/dltest1.vapps.zzz.com
  kadmin: addprinc -randkey +ok_as_delegate SAS/dltest1.vapps.zzz.com
  kadmin: ktadd -k $hostname/SAS.dltest1.keytab SAS/dltest1.vapps.zzz.com
  kadmin: addprinc -randkey +ok_as_delegate HTTP/dltest1.vapps.zzz.com
  kadmin: ktadd -k $hostname/HTTP.dltest1.keytab HTTP/dltest1.vapps.zzz.com
  
Note: You must enable the ok_as_delegate flag to allow ticket delegation in the middle tier.

Protecting the vApp with AD Kerberos

To generate SPNs and keytabs in AD Kerberos on Windows Server 2012, you must have administrator access to the Windows domain and then follow these steps:
  1. Create Managed Service Accounts:
    1. Launch the Server Manager on the domain controller:
    2. Select Server Managerthen selectToolsthen selectActive Directory Users and Computers.
    3. Select <domain name>then selectManaged Service Accounts.
    4. In the right pane, click Newthen selectUser.
    5. In the User logon name field, enter host/fully-qualified-hostname. For example, enter host/dltest1.vapps.zzz.com, and then click Next.
    6. Enter and confirm a password.
    7. If you are configuring a server with an operating system older than Windows 2000, change the logon name to HTTP/simple-hostname. For example, enter host/dltest1.
    8. Deselect User must change password at next logon and the select Password never expires.
    9. Click Finish.
    10. Repeat the previous steps for the SAS and HTTP service accounts.
  2. Create SPNs for each SPN user. At a command prompt on the domain controller, enter the following commands using a fully qualified host name and simple host name. For example, you might use dltest1.vapps.zzz.com and dltest1:
    > setspn -A host/dltest1.vapps.zzz.com host_dltest1
    > setspn -A SAS/dltest1.vapps.zzz.com SAS_dltest1
    > setspn -A HTTP/dltest1.vapps.zzz.com HTTP_dltest1
  3. Authorize ticket delegation:
    1. Launch the Server Manager on the domain controller.
    2. Select Server Managerthen selectToolsthen selectActive Directory Users and Computers.
    3. Select Viewthen selectAdvanced Features.
    4. Select host/<vapp> user. Right-click, and then select Properties.
    5. Select the Delegation tab.
    6. Select Trust this user for delegation to any service (Kerberos only), and then click Apply.
    7. Navigate to the Attribute Editor tab
    8. On the Attribute Editor tab, locate the msDS-KeyVersionNumber attribute. Record this number. Click OK.
    9. Repeat the previous steps to authorize ticket delegation for the SAS and HTTP users.
  4. Create keytabs for each SPN. For UNIX, continue with this step. For Windows, skip to Step 5.
    1. At a command prompt, use the ktutil utility to create keytabs. Enter the following commands using a fully qualified host name, the realm for your domain, the password that you created, and the msDS-KeyVersionNumber. In the following host SPN keytab example, dltest1.vapps.zzz.com, AD.ZZZ.COM, Psword, and -k 2 -e arcfour-hmac are used for these values:
      ktutil
      ktutil:  addent -password -p host/dltest1.vapps.zzz.com@AD.ZZZ.COM -k 2 -e arcfour-hmac
      Psword for host/dltest1.vapps.zzz.com@AD.ZZZ.COM :
      ktutil:  addent -password -p host/dltest1.vapps.zzz.com@AD.ZZZ.COM -k 2 -e aes128-cts-hmac-sha1-96
      Psword for host/dltest1.host.zzz.com@AD.ZZZ.COM :
      ktutil:  addent -password -p host/dltest1.vapps.zzz.com@AD.ZZZ.COM -k 2 -e aes256-cts-hmac-sha1-96
      Psword for host/dltest1.vapps.zzz.com@AD.ZZZ.COM :
      ktutil:  wkt host.dltest1.keytab
      ktutil:  quit
    2. Repeat the previous steps to create the SAS and HTTP keytabs.
  5. To create keytabs for each SPN on Windows, follow these steps:
    1. At a command prompt, use the ktpass utility to create keytabs. Enter the following commands using a fully qualified host name, the realm for your domain, and any password (it does not have to be the password that you created earlier). In the following host SPN keytab example, dltest1.vapps.zzz.com, AD.ZZZ.COM, and Psword are used for these values:
      ktpass.exe -princ host/dltest1.vapps.zzz.com@AD.ZZZ.COM -mapUser user@fully.qualified.domain -pass "Psword" 
               -pType KRB5_NT_PRINCIPAL -out dltest1-host.keytab -crypto All
    2. Repeat the previous steps to create the SAS and HTTP keytabs.
  6. Provide the keytabs to the vApp user.

Hadoop

Overview

The Hadoop cluster must be configured for Kerberos according to the instructions provided for the specific distribution that you are using.
Ensure that the following setting is correct on your cluster:
* hive.server2.enable.doAs = true

Configure Kerberos Trusts

If the Kerberos environment includes users or services authenticated by a realm other than the default realm of the cluster, you must configure the cluster to interpret principals from the trusted realm. This is the case when the cluster is protected by MIT Kerberos and the client is protected by Active Directory.

Cloudera

When the cluster is protected by MIT Kerberos, add AD_DOMAIN_REALM to Trusted Kerberos Realms under the HDFS configuration.

Other Distributions

When the cluster is protected by MIT Kerberos, you must set the properties hadoop.security.auth_to_local and oozie.authentication.kerberos.name.rules as follows:
RULE:[1:$1@$0](.*@\QAD_DOMAIN_REALM\E$)s/@\QAD_DOMAIN_REALM\E$//
RULE:[2:$1@$0](.*@\QAD_DOMAIN_REALM\E$)s/@\QAD_DOMAIN_REALM\E$//
RULE:[1:$1@$0](.*@\QMIT_DOMAIN_REALM\E$)s/@\QMIT_DOMAIN_REALM\E$//
RULE:[2:$1@$0](.*@\QMIT_DOMAIN_REALME$)s/@\QMIT_DOMAIN_REALM\E$// 
DEFAULT
An example of RULE 1 and RULE 2 for AD_DOMAIN_REALM is as follows:
RULE:[1:$1@$0](.*@\QDAFFY_KRB5.COM\E$)s/@\QDAFFY_KRB5.COM\E$// 
RULE:[2:$1@$0](.*@\QDAFFY_KRB5.COM\E$)s/@\QDAFFY_KRB5.COM\E$// 
DEFAULT 

SAS LASR Analytic Server

Integration of SAS Data Loader for Hadoop with a SAS LASR Analytic Server is possible only in an AD Kerberos environment. SAS Data Loader for Hadoop cannot be integrated with SAS LASR Analytic Server in a mixed AD and MIT Kerberos environment.
A public key is created as part of SAS Data Loader for Hadoop vApp configuration and is placed in the SAS Data Loader for Hadoop shared folder. This public key must also exist on the SAS LASR Analytic Server grid. The public key must be appended to the authorized_keys file in the .ssh directory of that user.
For more information about the SAS LASR Analytic Server administrator, see “LASR Analytic Servers Panel” in the SAS Data Loader for Hadoop: User’s Guide.