# Kinit Auxiliary Service Kinit auxiliary service is a critical service both for authentication between Kyuubi client/server and for authentication between Kyuubi server/Hadoop cluster in a Kerberos environment. It will get a Kerberos Ticket Cache from KDC and periodically re-kinit to keep the Ticket Cache fresh. **Note**: - Kinit auxiliary service is critical to Kyuubi Kerberos authentication, but not vice versa. - Kinit auxiliary service can also work with other authentication mode. ## Installing and Configuring the Kerberos Clients Usually, Kerberos client is installed as default. You can validate it using `klist` tool. ```bash $ klist -V Kerberos 5 version 1.15.1 ``` If the client is not installed, you should install it ahead based on the OS platform that you prepare to run Kyuubi. `krb5.conf` is a configuration file for tuning up the creation of Kerberos ticket cache. The default location is `/etc` on Linux, and we can use `KRB5_CONFIG` environmental variable to overwrite the location of the configuration file. Replace or configure `krb5.conf` to point to the KDC. ## Kerberos Ticket Kerberos client is aimed to generate a Ticket Cache file. Then, Kyuubi can use this Ticket Cache to authenticate with those kerberized services, e.g. HDFS, YARN, and Hive Metastore server, etc. A Kerberos ticket cache contains a service and a client principal names, lifetime indicators, flags, and the credential itself, e.g. ```bash $ klist Ticket cache: FILE:/tmp/krb5cc_5441 Default principal: spark/kyuubi.host.name@KYUUBI.APACHE.ORG Valid starting Expires Service principal 2020-11-25T13:17:18 2020-11-26T13:17:18 krbtgt/KYUUBI.APACHE.ORG@KYUUBI.APACHE.ORG renew until 2020-12-02T13:17:18 ``` Kerberos credentials can be stored in Kerberos ticket cache. For example, `/tmp/krb5cc_5441` in the above case. They are valid for relatively short period. So, we always need to refresh it for long-running services like Kyuubi. ## Configurations Key | Default | Meaning | Since --- | --- | --- | --- kyuubi.kinit.principal|
<undefined>
|
Name of the Kerberos principal.
|
1.0.0
kyuubi.kinit.keytab|
<undefined>
|
Location of Kyuubi server's keytab.
|
1.0.0
kyuubi.kinit.interval|
PT1H
|
How often will Kyuubi server run `kinit -kt [keytab] [principal]` to renew the local Kerberos credentials cache
|
1.0.0
kyuubi.kinit.max.attempts|
10
|
How many times will `kinit` process retry
|
1.0.0
When working with a Kerberos-enabled Hadoop cluster, we should ensure that `hadoop.security.authentication` is set to `KERBEROS` in `$HADOOP_CONF_DIR/core-site.xml` or `$KYUUBI_HOME/conf/kyuubi-defaults.conf`. Then we need to specify `kyuubi.kinit.principal` and `kyuubi.kinit.keytab` for authentication. For example, ```bash kyuubi.kinit.principal=spark/kyuubi.apache.org@KYUUBI.APACHE.ORG kyuubi.kinit.keytab=/path/to/kyuuib.keytab ``` **Note**: `kyuubi.kinit.principal` must be in the format: `/@`, and `` must be a FQDN of the host Kyuubi is running. Kyuubi will use this `principal` to impersonate client users, so the cluster should enable it to do impersonation for some particular user from some particular hosts. For example, ```bash hadoop.proxyuser..groups * hadoop.proxyuser..hosts * ``` ## Further Readings - [Hadoop in Secure Mode](https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html) - [Use Kerberos for authentication in Spark](http://spark.apache.org/docs/latest/security.html#kerberos)