All Products
Search

This Product

    E-MapReduce:Basic operations on Kerberos

    Document Center

    E-MapReduce:Basic operations on Kerberos

    Last Updated:Mar 26, 2026

    Use the Key Distribution Center (KDC) server tools to manage principals and keytabs on the server side, and use standard Kerberos CLI commands to manage tickets on the client side.

    Prerequisites

    Before you begin, ensure that you have:

    Configuration files

    EMR Kerberos uses two configuration files:

    File Role Path
    krb5.conf Client-side configuration. Defines the KDC server location, realm names, and hostname-to-realm mappings. /etc/krb5.conf on each EMR node
    kdc.conf Server-side configuration. Configures KDC-related services: krb5kdc, kadmind, and kdb5_util. /var/kerberos/krb5kdc/kdc.conf on the EMR node where the KDC server resides
    Important

    Do not edit krb5.conf or kdc.conf directly on EMR nodes. To change settings, go to the EMR console, navigate to the Kerberos service page, and use the Configure tab. Note that only some settings are modifiable there.

    Server-side operations

    All server-side operations use the kadmin CLI. Open it using one of the following methods, depending on which node you are logged on to.

    Open the kadmin CLI

    On the master-1-1 node (as root):

    # Direct local access — no password required
kadmin.local

    On any other node or gateway:

    # Remote access — authenticate with admin credentials
kadmin -p <admin-user> -w <admin-password>

    Replace the placeholders with the following values:

    Placeholder Value
    <admin-user> root/admin (when using the KDC server provided by EMR)
    <admin-password> The value of the admin_pwd parameter on the Configure tab of the Kerberos service page in the EMR console

    Manage principals

    A principal is a unique identity in the Kerberos system. Kerberos assigns tickets to principals for authentication.

    Principal names follow these formats:

    # Service principal
<service-name>/<hostname>@<REALM>

# User principal
<username>@<REALM>

    For example: spark/node-1.example.com@EXAMPLE.COM (service) or alice@EXAMPLE.COM (user).

    Create a principal:

    # Create a new principal and set its password
addprinc -pw <principal-password> <principal-name>

    Delete a principal:

    delprinc <principal-name>

    Change a principal's password:

    change_password <principal-name>

    List all principals:

    listprincs

    Manage keytabs

    A keytab stores the keys of one or more principals. You can use the keys to obtain tickets.

    Export a keytab:

    # Export the keytab for a principal to the specified path
ktadd -k <keytab-path> <principal-name>
    Placeholder Description
    <keytab-path> The local path where the keytab file will be saved
    <principal-name> The name of the principal whose keys to export
    Warning

    Each EMR service (such as Spark) maintains its own principal — for example, spark/hostname@realm — and a corresponding keytab for internal authentication. Exporting or modifying such a service principal's keytab invalidates the original keytab and disrupts the service. Do not modify this type of principal, and do not export the related keytab file.

    Client-side operations

    A ticket is a time-limited credential that proves a principal's identity to Kerberos-protected services.

    Obtain a ticket using a keytab:

    kinit -kt <keytab-path> <principal-name>

    View current tickets:

    klist

    Destroy all tickets:

    kdestroy

    What's next

    For a conceptual overview of how Kerberos authentication works, see Overview.