Kerberos Authentication Configuration
1. Set up Kerberos principals for each
ThingWorx Analytics service that requires Kerberos-authenticated HDFS access. For a list of services that require access, see
Services to Configure. Create the principals on the same server where the Kerberos Key Distribution Center (KDC) is located.
The following example shows principal setup for the three analytics worker services, where khserver.testbed.com is the host and TESTBED is the Kerberos realm. Replace these values with your own.
# kadmin.local
kadmin.local:
kadmin.local: add_principal -randkey twas-analytics-worker-1/khserver.testbed.com@TESTBED
kadmin.local: add_principal -randkey twas-analytics-worker-2/khserver.testbed.com@TESTBED
kadmin.local: add_principal -randkey twas-analytics-worker-3/khserver.testbed.com@TESTBED
kadmin.local:
kadmin.local: quit
#
2. On the same server where the Kerberos KDC is running, generate a keytab file that contains the credentials for the Kerberos principals you created. You can generate a single keytab file for all the principal credentials or separate them into multiple keytab files. The existing YARN Resource Manager principal must be included in a keytab file.
The following example shows keytab file generation for the three analytics worker services where khserver.testbed.com is the host and TESTBED is the Kerberos realm. Replace these values with your own.
# kadmin.local
kadmin.local:
kadmin.local: ktadd -norandkey -k /etc/security/analytics-server.keytab twas-analytics-worker-1/khserver.testbed.com@TESTBED
kadmin.local: ktadd -norandkey -k /etc/security/analytics-server.keytab twas-analytics-worker-2/khserver.testbed.com@TESTBED
kadmin.local: ktadd -norandkey -k /etc/security/analytics-server.keytab twas-analytics-worker-3/khserver.testbed.com@TESTBED
kadmin.local: ktadd -norandkey -k /etc/security/analytics-server.keytab rm/khserver.testbed.com@TESTBED
kadmin.local:
kadmin.local: quit
#
3. Copy the generated keytab files onto the server where ThingWorx Analytics is installed. Preferably, copy the files to a ThingWorx Analytics installation directory where access is restricted.
4. Create an XML configuration file with the properties listed below. Save the file in your ThingWorx Analytics installation directory or in a repository that is accessible to your ThingWorx Analytics Server.
◦ fs.defaultFS – The URI of the default HDFS file system.
◦ hadoop.security.authentication – The type of authentication to be used. Valid values are simple or kerberos. For an authenticated environment, use kerberos.
◦ hadoop.security.authorization – Indicates whether service-level authorization is enabled. Valid values are true or false.
◦ hadoop.rpc.protection – A comma-separated list of protection values for secured SASL connections. Use the privacy value to indicate that authentication, integrity, and privacy are enabled. This property must match the value on the server where Hadoop daemons are running.
◦ yarn.resourcemanager.hostname – The fully-qualified domain name of the host where the Hadoop YARN Resource Manager is running.
◦ yarn.resourcemanager.principal – The Kerberos principal for the YARN Resource Manager.
◦ yarn.resourcemanager.keytab – The location of the keytab file that contains the credentials of the YARN Resource Manager principal.
Sample configuration file:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<property>
<name>fs.defaultFS</name>
<value>hdfs://host_name_where_HDFS_is_running:8020</value>
</property>
<property>
<name>hadoop.security.authentication</name>
<value>kerberos</value>
<property>
</property>
<name>hadoop.security.aurhorization</name>
<value>false</value>
</property>
<property>
<name>hadoop.rpc.protection</name>
<value>privacy</value>
</property>
<property>
<name>yarn.resourcemanager.hostname</name>
<value>khserver.testbed.com</value>
</property>
<property>
<name>yarn.resourcemanager.principal</name>
<value>rm/khserver.testbed.com@TESTBED</value>
</property>
<property>
<name>yarn.resourcemanager.keytab</name>
<value>/etc/security/analytics-server.keytab</value>
</property>
</configuration>
5. For the
ThingWorx Analytics services to authenticate themselves with Kerberos, create a JAAS (Java Authentication and Authorization Service) file for each
ThingWorx Analytics service that requires HDFS access. For a list of those services, see
Services to Configure. Each JAAS file must include the properties listed below. Save each file in the
ThingWorx Analytics installation directory, or in some other location that is accessible to the Analytics server.
◦ principal – The Kerberos principal that will be used to authenticate the service.
◦ keytab – The location of the keytab file that contains the credentials for a specific Kerberos principal,
Sample JAAS file for: /etc/security/twas-analytics-worker-1-jaas.conf
analytics-server {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="twas-analytics-worker-1/khserver.testbed.com@TESTBED"
useKeyTab=true
keyTab="/etc/security/analytics-server.keytab"
storeKey=true;
};
6. For each
ThingWorx Analytics service that requires HDFS access, edit the Java command line to include the additional parameters listed below. For each parameter, adjust the file paths to reflect your installation and your operating system. For information about how to edit the parameters, see
Editing Java Command Line Parameters.
◦ -Djava.security.auth.login.config=filepath – Indicates the location of the JAAS file for a given service.
◦ -Djava.security.krb5.conf=filepath – Indicates the location of the already existing Kerberos file in the Kerberos realm.
◦ -Dhdfs.config.url=filepath – Indicates the location of the configuration file.