Set Up Kerberos for Pentaho
Overview
Instructions for setting up Kerberos on Pentaho computers that will connect to Big Data clusters.
How you set up Kerberos on a machine that the Pentaho Server can access to connect to Big Data clusters depends on your operating system.
Configure Kerberos on Linux
To configure Linux computers, complete these tasks.
Install JCE on Linux
This step is optional. The KDC configuration includes an AES-256 encryption setting. If you want to use this encryption strength, you will need to install the Java Cryptographic Extension (JCE) files.
-
Download the Java Cryptographic Extension (JCE) for the currently supported version of Java from the Oracle site.
- Read the installation instructions that are included with the download.
- Copy the JCE jars to the java/lib/security directory where PDI is installed on the Linux machine.
Download and Install Kerberos on Linux
Download and install a Kerberos server. Check your operating system's documentation for further details on how to do this.
Modify Kerberos Configuration File to Reflect Realm, KDC, and Admin Server on Linux
Modify the Kerberos configuration file to reflect your Realm, KDC, and Admin Server.
-
Open the krb5.conf file. By default this file is located in /etc/krb5.conf, but it might be somewhere else on your system.
- Add your Realm, KDC, and Admin Server information. The information in-between the carats < > indicates where you should modify the code to match your specific environment settings.
[libdefaults] default_realm = <YOUR_REALM.COM> ... [realms] <YOUR_REALM.COM>= { kdc=<KDC IP Address, or resolvable Hostname> admin_server=<Admin Server IP Address, or resolvable Hostname> ... } [domain_realm] <.your_realm.com> = <YOUR_REALM.COM> <your_realm.com> = <YOUR_REALM.COM> - Save and close the configuration file.
- Restart the computer.
Synchronize Clock on Linux
Synchronize the clock on the Linux with the clock on the Hadoop cluster. This is important because if the clocks are too far apart, then when authentication is attempted, Kerberos will not consider the tickets that are granted to be valid and the user will not be authenticated.
Consult your operating system's documentation for information on how to properly set your clock.
Obtain Kerberos Ticket on Linux
To obtain a Kerberos ticket, complete these steps.
- Open a Terminal window and type kinit at the prompt.
- When prompted for a password, enter it.
- The prompt appears again. To ensure that the Kerberos ticket was granted, type klist at the prompt.
- Authentication information appears.
Next Step
Go to the Set Up User Accounts and Ensure Network Access section.
Configure Kerberos on Windows
To configure Kerberos Windows computers, complete these tasks.
Install JCE on Windows
This step is optional. The KDC configuration includes an AES-256 encryption setting. If you want to use this encryption strength, you will need to install the Java Cryptographic Extension (JCE) files.
-
Download the Java Cryptographic Extension (JCE) for the currently supported version of Java from the Oracle site.
- Read the installation instructions that are included with the download.
- Copy the JCE jars to the java\lib\security directory where PDI is installed.
Download and Install Kerberos on Windows
Download and install a Kerberos server. We recommend that you use the Heimdal implementation of Kerberos, which can be found here: https://www.secure-endpoints.com/heimdal/.
Edit Kerberos Configuration File to Reflect Realm, KDC, and Admin Server on Windows
You will need to modify the Kerberos configuration file to reflect the appropriate realm, KDC, and Admin Server.
-
Open the krb5.conf file. By default this file is located in c:\ProgramData\Kerberos. This location might be different on your system.
- Add the appropriate realm, KDC, and Admin Server information.
[libdefaults]
default_realm = <YOUR_REALM.COM>
...
[realms]
<YOUR_REALM.COM>= {
kdc=<KDC IP Address, or resolvable Hostname>
admin_server=<Admin Server IP Address, or resolvable Hostname>
...
}
[domain_realm]
<.your_realm.com> = <YOUR_REALM.COM>
<your_realm.com> = <YOUR_REALM.COM>
- Save and close the configuration file.
- Make a copy of the configuration file and place it in the c:\Windows directory. Rename the file krb5.ini.
- Restart the computer.
Synchronize Clock on Windows
Synchronize the clock on the Windows with the clock on the Hadoop cluster. This is important because if the clocks are too far apart, then when authentication is attempted, Kerberos will not consider the tickets that are granted to be valid and the user will not be authenticated. The times on the Windows clock and the Hadoop cluster clock must not be greater than the range you entered for the clockskew variable in krb5.conf file.
Consult your operating system's documentation for information on how to properly set your clock.
Obtain Kerberos Ticket on Windows
To obtain a Kerberos ticket, complete these steps.
- Open a Command Prompt window and type kinit at the prompt.
- When prompted for a password, enter it.
- The prompt appears again. To ensure that the Kerberos ticket was granted, type klist at the prompt.
- Authentication information appears. Note that if you are using the correct version of Kerberos (Heimdal), the klist command output should not have the "Current LoginId is ..." prompt.
Set Up User Accounts and Network Access (All OS)
Ensure that user accounts and network access has been granted. Specific tasks include:
- Ensure the ports you plan to use are open between the cluster and computers running Pentaho components, like the Pentaho Server, Spoon, PRD, and PME.
- Make sure each server can use a hostname to access each computer on the cluster. Test to ensure that IP addresses resolve to hostnames using both forward and reverse lookups.
- Add user account credentials for each Pentaho user needing access to the cluster through the Kerberos database.
- Make sure the UID and GID for the user that you are running your jobs as on the matches the user UID and GID of that user for every computer of the cluster.
Next Step
Continue with the configuration process: