All Products
Search

This Product

    E-MapReduce:Cross-realm mutual trust

    Document Center

    E-MapReduce:Cross-realm mutual trust

    Last Updated:Feb 24, 2025

    This topic describes how to implement cross-realm mutual trust for Kerberos clusters. This helps with access between Kerberos clusters across realms.

    Procedure

    In this topic, cross-realm mutual trust is implemented to realize cross-realm access from the Cluster-A cluster to a service of the Cluster-B cluster. The access can be realized only after the cross-realm mutual trust is implemented and the Cluster-A cluster obtains a Ticket Granting Ticket (TGT) from its Key Distribution Center (KDC) server. In the following steps, the cross-realm mutual trust is implemented for only one-way access. To realize cross-realm access from the Cluster-B cluster to a service of the Cluster-A cluster, exchange the configurations of the two clusters when you perform the following steps:

    Step 1: Make preparations

    On the Configure tab of the Kerberos service page in the Cluster-A cluster, click the krb5.conf subtab and obtain the values of the kdc_hosts and realm parameters. The two parameters indicate the hostname and the realm of the cluster. Repeat the operation for the Cluster-B cluster. In this topic, the following information about hostnames and realms is obtained:

    • Cluster-A:

      • Hostname: master-1-1.1234.cn-hangzhou.emr.aliyuncs.com

      • Realm: EMR.1234.COM

    • Cluster-B:

      • Hostname: master-1-1.6789.cn-hangzhou.emr.aliyuncs.com

      • realm: EMR.6789.COM

    Step 2: Create a Principal for cross-realm authentication

    1. Log on to the master-1-1 node in the Cluster-A cluster in SSH mode.

    2. Run the following command as the root user to create a Principal for cross-realm authentication for Cluster-A: 

      kadmin.local -q "addprinc -pw 123456 krbtgt/EMR.6789.COM@EMR.1234.COM"

      Parameters in the command:

      • 123456: the initial password, which can be customized.

      • EMR.1234.COM: the realm of the Cluster-A cluster.

      • EMR.6789.COM: the realm of the Cluster-B cluster.

    3. Log on to the master-1-1 node in the Cluster-B cluster and repeat the preceding operations to create a Principal for cross-realm authentication for Cluster-B.

    Step 3: Modify the krb5.conf file

    Connect to all nodes within the Cluster-A cluster sequentially in SSH mode, and modify the /etc/krb5.conf file on each node. After completing the modifications, you do not need to restart the services.

    • other_realms

      EMR.C-BE49B6BBAEEA****.COM = {
  kdc = 192.168.xx.xx:88
  admin_server = 192.168.xx.xx:749
}

    • domains

      .1234.cn-hangzhou.emr.aliyuncs.com = EMR.1234.COM
.6789.cn-hangzhou.emr.aliyuncs.com = EMR.6789.COM

    • capaths

      EMR.1234.COM = {
   EMR.6789.COM = .
}
EMR.6789.COM = {
   EMR.1234.COM = .
}
    Note

    If you want to run jobs in the Cluster-A cluster that involve access to the Cluster-B cluster, restart YARN in the Cluster-B cluster.

    Step 4: Access a service of the Cluster-B cluster

    After the Cluster-A cluster obtains a TGT from its KDC server, you can access a service of the Cluster-B cluster from the Cluster-A cluster.

    1. Create a Principal for a test and generate a ticket. 

      kadmin.local -q  "addprinc -pw 123456 test"
kinit test

    2. Access the Hadoop Distributed File System (HDFS) service of the Cluster-B cluster from the Cluster-A cluster. 

      hdfs dfs -ls hdfs://master-1-1.6789.cn-hangzhou.emr.aliyuncs.com:9000/