[Hadoop] Kerberos가 -norandkey 옵션을 지원하지 않는 버전일 경우

Hadoop에 Kerberos를 붙이기 위해 keytab 파일을 만드는데,

kadmin shell에서 아래와 같은 명령어로 hdfs, HTTP 2개의 principal을 merge하여 keytab 파일을 만듬.

kadmin: xst -norandkey -k hdfs.keytab hdfs/myhost.com@MYREALM.COM HTTP/myhost.com@MYREALM.COM

근데 Kerberos의 버전에 따라 아래처럼 -norandkey 옵션이 없는 경우가 있음.

kadmin: xst

Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [principal | -glob princ-exp] [...]

이럴 땐 keytab을 각 principal 별로 따로 만들어 놓고 ktutil 을 이용해 merge 하면 됨.

// kadmin

[root@myhost]# kadmin

// hdfs keytab 생성

kadmin: xst -k hdfs-unmerged.keytab hdfs/myhost.com@MYREALM.COM

// HTTP keytab 생성

kadmin: xst -k HTTP.keytab HTTP/myhost.com@MYREALM.COM

kadmin: quit

[root@myhost]# ktutil

// ktutil

ktutil: rkt hdfs-unmerged.keytab

ktutil: rkt HTTP.keytab

ktutil: wkt hdfs.keytab

ktutil: quit

// 확인

[root@myhost]# klist -e -k -t hdfs.keytab

Keytab name: FILE:hdfs.keytab

KVNO Timestamp         Principal

---- ----------------- --------------------------------------------------------

   3 04/20/15 09:38:00 hdfs/myhost.com@MYREALM.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC) 

   3 04/20/15 09:38:00 hfds/myhost.com@MYREALM.COM (AES-128 CTS mode with 96-bit SHA-1 HMAC) 

   3 04/20/15 09:38:00 hfds/myhost.com@MYREALM.COM (Triple DES cbc mode with HMAC/sha1) 

   3 04/20/15 09:38:00 hdfs/myhost.com@MYREALM.COM (ArcFour with HMAC/md5) 

   3 04/20/15 09:38:00 hdfs/myhost.com@MYREALM.COM (DES with HMAC/sha1) 

   3 04/20/15 09:38:00 hdfs/myhost.com@MYREALM.COM (DES cbc mode with RSA-MD5) 

   3 04/20/15 09:38:00 HTTP/myhost.com@MYREALM.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC) 

   3 04/20/15 09:38:00 HTTP/myhost.com@MYREALM.COM (AES-128 CTS mode with 96-bit SHA-1 HMAC) 

   3 04/20/15 09:38:00 HTTP/myhost.com@MYREALM.COM (Triple DES cbc mode with HMAC/sha1) 

   3 04/20/15 09:38:00 HTTP/myhost.com@MYREALM.COM (ArcFour with HMAC/md5) 

   3 04/20/15 09:38:00 HTTP/myhost.com@MYREALM.COM (DES with HMAC/sha1) 

   3 04/20/15 09:38:00 HTTP/myhost.com@MYREALM.COM (DES cbc mode with RSA-MD5) 

[root@myhost]# kinit -k -t hdfs.keytab hdfs/myhost.com@MYREALM.COM

[root@myhost]# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: hdfs/myhost.com@MYREALM.COM

Valid starting     Expires            Service principal

04/20/15 09:42:22  04/21/15 09:42:15  krbtgt/MYREALM.COM@MYREALM.COM

이제 merge가 완료된 hdfs.keytab 파일을 dfs.namenode.keytab.file 이나 dfs.datanode.keytab.file 에 지정해서 사용하면 됨.