MaxCompute:Create a keytab configuration file

Prerequisites

Before you begin, ensure that you have:

• SSH access to the master node of a Hive cluster in EMR

• EMR V3.30.0 or later minor versions, or EMR V4.5.1 or later minor versions

Step 1: Start the Kerberos admin client

Log on to the master node of the Hive cluster in EMR via SSH, then run the following command to start the Kerberos admin client:

sh /usr/lib/has-current/bin/admin-local.sh /etc/ecm/has-conf -k /etc/ecm/has-conf/admin.keytab

Step 2: Add the Hive principal to the KDC

In the Kerberos admin client, run the following commands to add the Hive user to the Key Distribution Center (KDC) and confirm that the user was added:

# Add the Hive user to the KDC.
add_principal -pw <password> hive
# Confirm that the user was added.
list_principals

Replace <password> with the password for the Hive principal.

Step 3: Generate the keytab file

In the Kerberos admin client, run the following command to generate a keytab file in the /tmp directory:

ktadd -k /tmp/hive.keytab -glob hive

A successful run produces output similar to:

Entry for principal hive@<REALM> with kvno 2,
    encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/tmp/hive.keytab.
Entry for principal hive@<REALM> with kvno 2,
    encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/tmp/hive.keytab.

Step 4: Validate the keytab file

1. In the Linux terminal, switch to the Hive user:

   su - hive

2. Cache the Hive principal using the keytab file, then run klist to confirm the cache:

   # Cache the Hive principal and keytab file.
   kinit -kt /tmp/hive.keytab hive
   # Confirm that the principal and keytab file are cached.
   klist

   A valid keytab produces output similar to:

   Credentials cache: FILE:/tmp/krb5cc_<uid>
           Principal: hive@<REALM>
   
     Issued                Expires               Principal
   <timestamp>  <timestamp>  hive@<REALM>

3. Log on to the Hive client. A successful log-on confirms that the keytab file is valid.