This topic describes how to implement cross-realm mutual trust for Kerberos clusters. This helps with access between Kerberos clusters across realms.

Procedure

In this topic, cross-realm mutual trust is implemented to realize cross-realm access from the Cluster-A cluster to a service of the Cluster-B cluster. The access can be realized only after the cross-realm mutual trust is implemented and the Cluster-A cluster obtains a Ticket Granting Ticket (TGT) from its Key Distribution Center (KDC) server. In the following steps, the cross-realm mutual trust is implemented for only one-way access. To realize cross-realm access from the Cluster-B cluster to a service of the Cluster-Acluster, exchange the configurations of the two clusters when you perform the following steps:

Step 1: Make preparations

On the Configure tab of the Kerberos service page in the Cluster-A cluster, click the krb5.conf subtab and obtain the values of the kdc_hosts and realm parameters. The two parameters indicate the hostname and the realm of the cluster. Repeat the operation for the Cluster-B cluster. In this topic, the following information about hostnames and realms is obtained:
  • The Cluster-A cluster:
    • Hostname: master-1-1.1234.cn-hangzhou.emr.aliyuncs.com
    • Realm: EMR.1234.COM
  • The Cluster-B cluster:
    • Hostname: master-1-1.6789.cn-hangzhou.emr.aliyuncs.com
    • realm: EMR.6789.COM

Step 2: Create a Principal for cross-realm authentication

  1. Log on to the master-1-1 node in the Cluster-A cluster in SSH mode.
  2. Run the following command as the root user to create a Principal for cross-realm authentication for Cluster-A:
    kadmin.local -q "addprinc -pw 123456 krbtgt/EMR.6789.COM@EMR.1234.COM"
    Parameters in the command:
    • 123456: the initial password, which can be customized.
    • EMR.1234.COM: the realm of the Cluster-A cluster.
    • EMR.6789.COM: the realm of the Cluster-B cluster.
  3. Log on to the master-1-1 node in the Cluster-B cluster and repeat the preceding operations to create a Principal for cross-realm authentication for Cluster-B.

Step 3: Modify the krb5.conf file

On the Configure tab of the Kerberos service page in the Cluster-A cluster, click the krb5.conf subtab and modify the following settings:
  • other_realms
    EMR.C-BE49B6BBAEEA****.COM = {
      kdc = 192.168.xx.xx:88
      admin_server = 192.168.xx.xx:749
    }
  • domains
    .1234.cn-hangzhou.emr.aliyuncs.com = EMR.1234.COM
    .6789.cn-hangzhou.emr.aliyuncs.com = EMR.6789.COM
  • capaths
    EMR.1234.COM = {
       EMR.6789.COM = .
    }
    EMR.6789.COM = {
       EMR.1234.COM = .
    }
After you modify the settings, click Save and then Deploy Client Configuration at the bottom of the subtab.
Note If you want to run jobs in the Cluster-A cluster that involve access to the Cluster-B cluster, restart YARN in the Cluster-B cluster.

Step 4: Access a service of the Cluster-B cluster

After the Cluster-A cluster obtains a TGT from its KDC server, you can access a service of the Cluster-B cluster from the Cluster-A cluster.
  1. Create a Principal for a test and generate a ticket.
    kadmin.local -q  "addprinc -pw 123456 test"
    kinit test
  2. Access the Hadoop Distributed File System (HDFS) service of the Cluster-B cluster from the Cluster-A cluster.
    hdfs dfs -ls hdfs://master-1-1.6789.cn-hangzhou.emr.aliyuncs.com:9000/