When you enable Kerberos authentication on an EMR cluster, you can use either a built-in Key Distribution Center (KDC) that EMR manages, or connect to an external KDC to centralize identity management across multiple clusters.
External KDC support is available for EMR V3.43.1, V5.9.1, and later minor versions. The external KDC must be built on MIT Kerberos.
Prerequisites
Before you begin, make sure you have:
The IP address and port of the external KDC
The IP address and port of Kadmin
The name and password of a Kerberos principal with admin permission
You must make sure that the information you obtained is valid. Otherwise, the connection may fail.
Network requirements
Every node in the EMR cluster must be able to reach the external KDC. Open the following ports on your firewall or security group:
| Port | Protocol | Service |
|---|---|---|
| 88 | TCP | KDC |
| 88 | UDP | KDC |
| 749 | TCP | Kadmin |
Connect to an external KDC
For instructions on creating a cluster, see Create a cluster.
In the Software Configuration step when creating a cluster, turn on Kerberos Authentication in the Advanced Settings section.
For KDC Source, select External KDC. By default, Self-managed KDC is selected, which means EMR provisions a dedicated KDC for the cluster. Selecting External KDC reveals the following parameters.
Parameter Description KDC Hosts IP address and port of the KDC. To specify multiple addresses, separate them with commas. Example: 192.168..:88,192.168..:88. Default port: 88.Realm Name Name of the KDC realm. Example: EMR.C-XXXXX.COM.Kadmin Hosts IP address and port of Kadmin. Separate multiple addresses with commas. Example: 192.168..:749,192.168..:749. Default port: 749.Admin Principal Name of the Kerberos principal used to connect to Kadmin. Example: root/admin. The principal must have admin permission; otherwise EMR cannot create principals or export keytab files.Admin Password Password for the admin principal. Confirm Password Re-enter the admin principal password.