Preparing for Kerberos

Kerberos Prerequisites
Generate and Test Host Principals: Example
Configure Passwordless SSH to Use Kerberos
Preparing the Analytics Environment for Kerberos

Kerberos Prerequisites

The SAS High-Performance Analytics infrastructure supports the Kerberos computer network authentication protocol. Throughout this document, we indicate the particular settings that you need to perform in order to make parts of the infrastructure configurable for Kerberos. However, you must understand and be able to verify your security setup. If you are using Kerberos, you need the ability to get a Kerberos ticket.
The list of Kerberos prerequisites is:
  • A Kerberos key distribution center (KDC)
  • All machines configured as Kerberos clients
  • Permissions to copy and secure Kerberos keytab files on all machines
  • A user principal for the Hadoop user
    (This is used for setting up the cluster and performing administrative functions.)
  • Encryption types supported on the Kerberos domain controller should be aes256-cts:normal and aes128-cts:normal

Generate and Test Host Principals: Example

This topic provides an example of setting up hosts using MIT Kerberos. There are other implementations of Kerberos, such as Microsoft Active Directory, that the SAS High-Performance Analytics infrastructure supports.
Every machine in the analytics cluster must have a host principal and a Kerberos keytab in order to operate as Kerberos clients.
To generate and test host principals, follow these steps:
  1. Execute kadmin.local on the KDC.
  2. Run the following command for each machine in the cluster:
    addprinc –randkey +ok_to_delegate host/$machine-name
    where machine-name is the host name of the particular machine.
  3. Generate host keytab files in kadmin.local for each machine, by running the following command:
    ktadd -norandkey -k $machine-name.keytab host/$machine-name
    where machine-name is the name of the particular machine.
    Tip
    When generating keytab files, it is a best practice to create files by machine. In the event a keytab file is compromised, the keytab contains only the host principal associated with machine it resides on, instead of a single file that contains every machine in the environment.
  4. Copy each generated keytab file to its respective machine under /etc, rename the file to krb5.keytab, and secure it with mode 600 and owned by root.
    For example:
    cp keytab /etc/krb5.keytab
    chown root:root /etc/krb5.keytab
    chmod 600 /etc/krb5.keytab
  5. Validate your configuration in a temporary credential cache (ccache) to avoid overwriting any ccache in your user session with the host’s credentials:
    kinit -kt /etc/krb5.keytab -c ~/testccache host/machine.name@REALM.NAME
  6. Because kinit obtains only a krbtgt ticket for a given principal, also validate that Kerberos is able to issue service tickets for the host principal:
    kvno -c ~/testccache machine.name@REALM.NAME
  7. Run the klist command to check the status of your Kerberos ticket:
    klist -efac ~/testccache
    Your klist output should resemble the following: 
    Ticket cache: FILE:/home/myacct/testccache
Default principal: host/myserver.example.com@NA.EXAMPLE.COM

Valid starting     Expires            Service principal
07/07/15 15:33:32  07/08/15 01:33:32  krbtgt/NA.EXAMPLE.COM@NA.EXAMPLE.COM
	renew until 07/14/15 15:33:32, Flags: FRIA
	Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
	Addresses: (none)
07/07/15 15:34:09  07/08/15 01:33:32  host/myserver.example.com@NA.EXAMPLE.COM
	renew until 07/14/15 15:33:32, Flags: FRAO
	Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
	Addresses: (none)
    Note: If you intend to deploy the SAS Embedded Process on the cluster for use with SAS/ACCESS Interface to Hadoop, then a user keytab file for the user ID that runs HDFS is required.
  8. Delete your ccache:
    kdestroy -c ~/testccache

Configure Passwordless SSH to Use Kerberos

Tip
If you are not familiar with passwordless Secure Shell (SSH), please see Setting Up Passwordless Secure Shell (SSH).
Passwordless access of some form is a requirement of the SAS High-Performance Analytics environment through its use of the Message Passing Interface (MPI). Traditionally, public key authentication in Secure Shell (SSH) is used to meet the passwordless access requirement. For Secure Mode Hadoop, GSSAPI with Kerberos is used as the passwordless SSH mechanism. GSSAPI with Kerberos not only meets the passwordless SSH requirements, but also supplies Hadoop with the credentials required for users to perform operations in HDFS with SAS LASR Analytic Server and SASHDAT files. Certain options must be set in the SSH daemon and SSH client configuration files. Those options are as follows and assume a default configuration of sshd.
To configure passwordless SSH to use Kerberos, follow these steps:
  1. In the sshd_config file, set:
    GSSAPIAuthentication yes
  2. In the ssh_config file, set:
    Host *.domain.net
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes
    where domain.net is the domain name used by the machine in the cluster.
    Tip
    Although you can specify host *, this is not recommended because it would allow GSSAPI Authentication with any host name.

Preparing the Analytics Environment for Kerberos

During start-up, the Message Passing Interface (MPI) sends a user’s Kerberos credentials cache (KRB5CCNAME) that can cause an issue when Hadoop attempts to use Kerberos credentials to perform operations in HDFS.
Under Secure Shell (SSH), a random set of characters are appended to the credentials cache file, so the value of the KRB5CCNAME environment variable is different for each machine. To set the correct value for KRB5CCNAME on each machine, you must use the option below when asked for additional options to MPIRUN during the analytics environment installation:
-genvlist `env | sed -e s/=.*/,/ | sed /KRB5CCNAME/d | tr -d '\n'`TKPATH,LD_LIBRARY_PATH
Note: Enter the above option on one line. Do not add any carriage returns or other whitespace characters.
You must use a launcher that supports GSSAPI authentication because the implementation of SSH that is included with SAS does not support it. Add the following to your SAS programs on the client:
option set=GRIDRSHCOMMAND="/path-to-file/ssh";
Tip
Adding GRIDRSHCOMMAND to your sasv9_usermods.cfg preserves the setting during SAS upgrades and avoids having to manually set that environment variable on the client before starting SAS.
Copyright © SAS Institute Inc. All Rights Reserved.
Last updated: June 19, 2017