After you configure a cross-realm trust relationship for clusters for which Kerberos authentication is enabled, the clusters can access each other.
Limits
A cross-realm trust relationship can be configured for clusters for which Kerberos authentication is enabled in EMR V3.37.1 or a later minor version, or EMR V5.3.1 or a later minor version.
Procedure
Step 1: Make preparations
This topic provides an example, in which services in Cluster-B are accessed from Cluster-A. Cluster-A and Cluster-B belong to different realms. After Cluster-A obtains the Ticket Granting Ticket (TGT) that is issued by the key distribution center (KDC) of Cluster-A, you can access the services in Cluster-B from Cluster-A. The cross-realm trust configured in this topic is a one-way trust. In this case, you cannot access the services in Cluster-A from Cluster-B. To access the services in Cluster-A from Cluster-B, exchange the configuration entities and perform the steps that are described in this topic.
hostname
command to obtain the hostname. Then, obtain the realm from the krb5.conf file that
is stored in the /etc/ directory of each emr-header-1 node. Hostnames and realms of Cluster-A and Cluster-B:
- Cluster-A
- Hostname: emr-header-1.cluster-1234
- Realm: EMR.1234.COM
- Cluster-B
- Hostname: emr-header-1.cluster-6789
- Realm: EMR.6789.COM
Step 2: Add principals for cross-realm authentication
Step 3: Modify configurations in the krb5.conf file on Cluster-A
Step 4: Access services in Cluster-B
In Cluster-A, use the Kerberos keytab file to access the services in Cluster-B.
kinit -kt test.keytab test@EMR.1234.COM
hadoop fs -ls hdfs://emr-header-1.cluster-6789:9000/
Found 6 items
drwxr-xr-x - hadoop hadoop 0 2021-08-27 10:10 hdfs://emr-header-1.cluster-6789:9000/apps
drwxrwxrwt - hadoop hadoop 0 2021-08-27 10:10 hdfs://emr-header-1.cluster-6789:9000/spark-history
drwxrwxrwt - hadoop hadoop 0 2021-08-27 10:11 hdfs://emr-header-1.cluster-6789:9000/tmp
drwxrwxrwt - hadoop hadoop 0 2021-08-27 10:11 hdfs://emr-header-1.cluster-6789:9000/user