To use Kerberos with Hadoop you can either use an existing KDC or install a new one just for Hadoop's use. The following gives a very high level description of the installation process. To get more information see RHEL documentation or CentOS documentation or SLES documentation.
Note | |
---|---|
Because Kerberos is a time-sensitive protocol, all hosts in the realm must be time-synchronized, for example, by using the Network Time Protocol (NTP). If the local system time of a client differs from that of the KDC by as little as 5 minutes (the default), the client will not be able to authenticate. |
To install a new version of the server:
[On RHEL, CentOS, or Oracle Linux] yum install krb5-server krb5-libs krb5-auth-dialog krb5-workstation
OR
[On SLES] zypper install krb5 krb5-server krb5-client
Note The host on which you install the KDC must itself be secure.
When the server is installed use a text editor to edit the configuration file, located by default here:
/etc/krb5.conf
Change the
[realms]
section of this file by replacing the default “kerberos.example.com” setting for thekdc
andadmin_server
properties with the Fully Qualified Domain Name of the KDC server. In this example below, “kerberos.example.com” has been replaced with “my.kdc.server”.[realms] EXAMPLE.COM = { kdc = my.kdc.server admin_server = my.kdc.server }