All Products
Search

This Product

    E-MapReduce:Connect to an external KDC

    Document Center

    E-MapReduce:Connect to an external KDC

    Last Updated:Jan 03, 2024

    Alibaba Cloud E-MapReduce (EMR) allows you to connect to an external Key Distribution Center (KDC) when you create an EMR cluster of V3.43.1, V5.9.1, or a minor version later than V3.43.1 or V5.9.1. When you use Kerberos authentication in your EMR cluster, you can use a built-in KDC in the cluster or an external KDC for identity management and authentication in a centralized manner.

    Prerequisites

    The IP address of the external KDC, the IP address of Kadmin, and the name and password of a Kerberos principal are obtained.

    Note

    You must make sure that the information you obtained is valid. Otherwise, the connection may fail.

    Limits

    The external KDC must be built on top of MIT Kerberos.

    Precautions

    Make sure that the IP addresses and ports of the external KDC can be connected by your EMR cluster. For example, make sure that the TCP ports 88 and 749 and UDP port 88 can be connected.

    Procedure

    For information about how to create a cluster, see Create a cluster.

    1. In the Software Configuration step when you create a cluster, turn on Kerberos Authentication in the Advanced Settings section.

    2. Select External KDC for KDC Source.

      By default, Self-managed KDC is selected for KDC Source, which indicates that the system creates a KDC for your EMR cluster. If you select External KDC, configure the parameters. The following table describes the parameters.

      Parameter

      Description

      KDC Hosts

      The IP address and port of the KDC.

      Separate multiple IP addresses with commas (,). Example: 192.168.**.**:88,192.168.**.**:88.

      Important

      Make sure that the IP addresses and ports of the KDC can be connected by your EMR cluster.

      Realm Name

      The name of the KDC realm.

      Kadmin Hosts

      The IP address and port of Kadmin.

      Separate multiple IP addresses with commas (,). Example: 192.168.**.**:749,192.168.**.**:749.

      Important

      Make sure that the IP addresses and ports of Kadmin can be connected by your EMR cluster.

      Admin Principal

      The name of the Kerberos principal that is used to connect to Kadmin.

      Make sure that the Kerberos principal is granted the admin permission. Otherwise, no principal can be created and no keytab file can be exported.

      Admin Password

      The password of the Kerberos principal that is used to connect to Kadmin.

      Confirm Password