../_images/kyuubi_logo_simple5.png

2. Kinit Auxiliary Service

In order to work with a kerberos-enabled cluster, Kyuubi provides this kinit auxiliary service. It will periodically re-kinit with to keep the Ticket Cache fresh.

2.1. Installing and Configuring the Kerberos Clients

Usually, Kerberos client is installed as default. You can validate it using klist tool.

$ klist -V
Kerberos 5 version 1.15.1

If the client is not installed, you should install it ahead based on the OS platform that you prepare to run Kyuubi.

krb5.conf is a configuration file for tuning up the creation of Kerberos ticket cache. The default location is /etc on Linux, and we can use KRB5_CONFIG environmental variable to overwrite the location of the configuration file.

Replace or configure krb5.conf to point to the KDC.

2.2. Kerberos Ticket

Kerberos client is aimed to generate a Ticket Cache file. Then, Kyuubi can use this Ticket Cache to authenticate with those kerberized services, e.g. HDFS, YARN, and Hive Metastore server, etc.

A Kerberos ticket cache contains a service and a client principal names, lifetime indicators, flags, and the credential itself, e.g.

$ klist

Ticket cache: FILE:/tmp/krb5cc_5441
Default principal: spark/kyuubi.host.name@KYUUBI.APACHE.ORG

Valid starting       Expires              Service principal
2020-11-25T13:17:18  2020-11-26T13:17:18  krbtgt/KYUUBI.APACHE.ORG@KYUUBI.APACHE.ORG
	renew until 2020-12-02T13:17:18

Kerberos credentials can be stored in Kerberos ticket cache. For example, /tmp/krb5cc_5441 in the above case.

They are valid for relatively short period. So, we always need to refresh it for long-running services like Kyuubi.

2.3. Configurations

Key Default Meaning Since
kyuubi.kinit
.principal
<undefined>
Name of the Kerberos principal.
1.0.0
kyuubi.kinit.keytab
<undefined>
Location of Kyuubi server's keytab.
1.0.0
kyuubi.kinit.interval
PT1H
How often will Kyuubi server run kinit -kt [keytab] [principal] to renew the local Kerberos credentials cache
1.0.0
kyuubi.kinit.max
.attempts
10
How many times will kinit process retry
1.0.0

When hadoop.security.authentication is set to KERBEROS, in $HADOOP_CONF_DIR/core-site or $KYUUBI_HOME/conf/kyuubi-defaults.conf, it indicates that we are targeting a secured cluster, then we need to specify kyuubi.kinit.principal and kyuubi.kinit.keytab for authentication.

Kyuubi will use this principal to impersonate client users, so the cluster should enable it to do impersonation for some particular user from some particular hosts.

For example,

hadoop.proxyuser.<user name in principal>.groups *
hadoop.proxyuser.<user name in principal>.hosts *