# Kinit Auxiliary Service
Kinit auxiliary service is a critical service both for authentication between Kyuubi client/server
and for authentication between Kyuubi server/Hadoop cluster in a Kerberos environment.
It will get a Kerberos Ticket Cache from KDC and periodically re-kinit to keep the Ticket Cache fresh.
**Note**:
- Kinit auxiliary service is critical to Kyuubi Kerberos authentication, but not vice versa.
- Kinit auxiliary service can also work with other authentication mode.
## Installing and Configuring the Kerberos Clients
Usually, Kerberos client is installed as default. You can validate it using `klist` tool.
```bash
$ klist -V
Kerberos 5 version 1.15.1
```
If the client is not installed, you should install it ahead based on the OS platform that you prepare to run Kyuubi.
`krb5.conf` is a configuration file for tuning up the creation of Kerberos ticket cache.
The default location is `/etc` on Linux,
and we can use `KRB5_CONFIG` environmental variable to overwrite the location of the configuration file.
Replace or configure `krb5.conf` to point to the KDC.
## Kerberos Ticket
Kerberos client is aimed to generate a Ticket Cache file.
Then, Kyuubi can use this Ticket Cache to authenticate with those kerberized services,
e.g. HDFS, YARN, and Hive Metastore server, etc.
A Kerberos ticket cache contains a service and a client principal names,
lifetime indicators, flags, and the credential itself, e.g.
```bash
$ klist
Ticket cache: FILE:/tmp/krb5cc_5441
Default principal: spark/kyuubi.host.name@KYUUBI.APACHE.ORG
Valid starting Expires Service principal
2020-11-25T13:17:18 2020-11-26T13:17:18 krbtgt/KYUUBI.APACHE.ORG@KYUUBI.APACHE.ORG
renew until 2020-12-02T13:17:18
```
Kerberos credentials can be stored in Kerberos ticket cache.
For example, `/tmp/krb5cc_5441` in the above case.
They are valid for relatively short period. So, we always need to refresh it for long-running services like Kyuubi.
## Configurations
| Key | Default | Meaning | Since |
|----------------------------------------|--------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------|
| kyuubi.kinit.principal | <undefined>
| Name of the Kerberos principal.
| 1.0.0
|
| kyuubi.kinit.keytab | <undefined>
| Location of Kyuubi server's keytab.
| 1.0.0
|
| kyuubi.kinit.interval | PT1H
| How often will Kyuubi server run `kinit -kt [keytab] [principal]` to renew the local Kerberos credentials cache
| 1.0.0
|
| kyuubi.kinit.max.attempts | 10
| How many times will `kinit` process retry
| 1.0.0
|
When working with a Kerberos-enabled Hadoop cluster, we should ensure that `hadoop.security.authentication`
is set to `KERBEROS` in `$HADOOP_CONF_DIR/core-site.xml` or `$KYUUBI_HOME/conf/kyuubi-defaults.conf`.
Then we need to specify `kyuubi.kinit.principal` and `kyuubi.kinit.keytab` for authentication.
For example,
```bash
kyuubi.kinit.principal=spark/kyuubi.apache.org@KYUUBI.APACHE.ORG
kyuubi.kinit.keytab=/path/to/kyuuib.keytab
```
**Note**:
`kyuubi.kinit.principal` must be in the format: `/@`, and `` must
be a FQDN of the host Kyuubi is running.
Kyuubi will use this `principal` to impersonate client users,
so the cluster should enable it to do impersonation for some particular user from some particular hosts.
For example,
```bash
hadoop.proxyuser..groups *
hadoop.proxyuser..hosts *
```
## Further Readings
- [Hadoop in Secure Mode](https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html)
- [Use Kerberos for authentication in Spark](https://spark.apache.org/docs/latest/security.html#kerberos)