Skip to content

Configuring Kerberos Principals

Jump to bottom
Paolo Milani edited this page Dec 18, 2018 · 4 revisions

It is possible to customize the kerberos principals to use in a CSD service. For an example see also the CSD descriptor for Accumulo.

  • Define the value for ${principal}; this is done by adding the principal field in runAs (top-level)
  • Within the roles definitions: add in the role definition kerberosPrincipals (Kerberos Principals docs)
  • In a role with kerberos principals, configure in its configWriter the generators by adding kerberosPrincipal as needed: this will generate the desired property containing the principal

This is an extract of the Accumulo CSD showing just the relevant parts mentioned above

{
  "name" : "ACCUMULO"
  ...
  "runAs" : {
    "user" : "accumulo",
    "group" : "accumulo",
    "principal" : "accumulo"
  }
  ...
  "roles" : [
    {
      "name" : "ACCUMULO_MASTER",
      ...
      "kerberosPrincipals" : [
        {"name" : "accumulo_principal", "primary" : "${principal}", "instance" : "${host}"}
      ],
      "configWriter" : {
        "generators" : [
          {
            "filename" : "accumulo-site.xml",
            "configFormat" : "hadoop_xml",
            "kerberosPrincipals" : [
              { "principalName" : "accumulo_principal", "propertyName" : "general.kerberos.principal", "instanceWildcard" : "_HOST"}
            ],
            "includedParams" : ["accumulo_instance_secret", "accumulo_hdfs_dir", "master_port_client", "monitor_port_client", "tserver_port_client", "table_file_replication"]
          }
        ]
  }, 
  .... ]
Clone this wiki locally