19150ca292
<!--
Thanks for sending a pull request!
Here are some tips for you:
1. If this is your first time, please read our contributor guidelines: https://kyuubi.readthedocs.io/en/latest/community/contributions.html
2. If the PR is related to an issue in https://github.com/apache/incubator-kyuubi/issues, add '[KYUUBI #XXXX]' in your PR title, e.g., '[KYUUBI #XXXX] Your PR title ...'.
3. If the PR is unfinished, add '[WIP]' in your PR title, e.g., '[WIP][KYUUBI #XXXX] Your PR title ...'.
-->
### _Why are the changes needed?_
<!--
Please clarify why the changes are needed. For instance,
1. If you add a feature, you can talk about the use case of it.
2. If you fix a bug, you can clarify why it is a bug.
-->
### _How was this patch tested?_
- [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible
- [ ] Add screenshots for manual tests if appropriate
- [ ] [Run test](https://kyuubi.readthedocs.io/en/latest/develop_tools/testing.html#running-tests) locally before make a pull request
Closes #951 from pan3793/license.
Closes #951
4629eecd [Cheng Pan] Fix
c45a0784 [Cheng Pan] nit
b9a46b42 [Cheng Pan] pin license header at first line
80d1a71b [Cheng Pan] nit
b2a46e4c [Cheng Pan] Update
f6acaaf8 [Cheng Pan] minor
ef99183f [Cheng Pan] Add license header on all docs
Authored-by: Cheng Pan <chengpan@apache.org>
Signed-off-by: Cheng Pan <chengpan@apache.org>
(cherry picked from commit a76c344042)
Signed-off-by: Cheng Pan <chengpan@apache.org>
4.4 KiB
Kinit Auxiliary Service
In order to work with a kerberos-enabled cluster, Kyuubi provides this kinit auxiliary service. It will periodically re-kinit with to keep the Ticket Cache fresh.
Installing and Configuring the Kerberos Clients
Usually, Kerberos client is installed as default. You can validate it using klist tool.
$ klist -V
Kerberos 5 version 1.15.1
If the client is not installed, you should install it ahead based on the OS platform that you prepare to run Kyuubi.
krb5.conf is a configuration file for tuning up the creation of Kerberos ticket cache.
The default location is /etc on Linux,
and we can use KRB5_CONFIG environmental variable to overwrite the location of the configuration file.
Replace or configure krb5.conf to point to the KDC.
Kerberos Ticket
Kerberos client is aimed to generate a Ticket Cache file. Then, Kyuubi can use this Ticket Cache to authenticate with those kerberized services, e.g. HDFS, YARN, and Hive Metastore server, etc.
A Kerberos ticket cache contains a service and a client principal names, lifetime indicators, flags, and the credential itself, e.g.
$ klist
Ticket cache: FILE:/tmp/krb5cc_5441
Default principal: spark/kyuubi.host.name@KYUUBI.APACHE.ORG
Valid starting Expires Service principal
2020-11-25T13:17:18 2020-11-26T13:17:18 krbtgt/KYUUBI.APACHE.ORG@KYUUBI.APACHE.ORG
renew until 2020-12-02T13:17:18
Kerberos credentials can be stored in Kerberos ticket cache.
For example, /tmp/krb5cc_5441 in the above case.
They are valid for relatively short period. So, we always need to refresh it for long-running services like Kyuubi.
Configurations
| Key | Default | Meaning | Since |
|---|---|---|---|
| kyuubi.kinit .principal |
<undefined> |
Name of the Kerberos principal. |
1.0.0 |
| kyuubi.kinit.keytab | <undefined> |
Location of Kyuubi server's keytab. |
1.0.0 |
| kyuubi.kinit.interval | PT1H |
How often will Kyuubi server run kinit -kt [keytab] [principal] to renew the local Kerberos credentials cache |
1.0.0 |
| kyuubi.kinit.max .attempts |
10 |
How many times will kinit process retry |
1.0.0 |
When hadoop.security.authentication is set to KERBEROS, in $HADOOP_CONF_DIR/core-site or $KYUUBI_HOME/conf/kyuubi-defaults.conf,
it indicates that we are targeting a secured cluster, then we need to specify kyuubi.kinit.principal and kyuubi.kinit.keytab for authentication.
Kyuubi will use this principal to impersonate client users,
so the cluster should enable it to do impersonation for some particular user from some particular hosts.
For example,
hadoop.proxyuser.<user name in principal>.groups *
hadoop.proxyuser.<user name in principal>.hosts *