Manage Secure Hadoop account

Prev Next

Available in VPC

Secure Hadoop uses Kerberos- and LDAP-based account systems. These 2 authentication systems are configured with redundancy on 2 master nodes, and can be accessed through edge nodes.
For tasks such as adding, changing, or deleting user accounts, you must run the commands for Kerberos and LDAP, respectively. In addition, the user ID must be consistent in the 2 systems, and the keytab file is required for user authentication.

Caution
  • The user information of Kerberos and LDAP is a crucial element that configures Secure Hadoop.
  • When you edit or delete the principal, keytab, and LDAP information, which are created and used by the cluster, a malfunction may occur in the cluster.
  • However, the principal and LDAP information created by the user are excluded.

Kerberos

Kerberos can be accessed in the master node.
To control the principal in the admin shell, follow these steps:

  1. Access the admin shell.

    kadmin.local

  2. Create a new principal.

    # Create a principal with a random key.
addprinc -randkey user1@USER.GUIDE
# Create a principal by entering the password.
addprinc user1@USER.GUIDE

  3. Change the principal password.

    change_password user1@USER.GUIDE

  4. Download the principal keytab file.

    ktadd -k /tmp/user1.keytab user1@USER.GUIDE

  5. Log in with the principal using the keytab file.

    kinit -kt /tmp/user1.keytab user1@USER.GUIDE

  6. Check the principal login status.

    # Principal information of the user who is currently logged in on the VM
klist 
# Downloaded principal information of keytab 
klist -kt /tmp/user1.keytab

  7. Delete the principal.

    delprinc user1@USER.GUIDE

LDAP

LDAP is a directory service that saves and manages user information. In Secure Hadoop, it performs authentication and permissions management by integrating with Kerberos.

  1. Register the user.

    # Use only numbers that are not duplicated for uidNumber.
ldif=/tmp/add-account.ldif
HASH_USER_PW=$(slappasswd -h "{SSHA}" -s "new_password")

cat <<EOF | tee $ldif
dn: uid=account name,ou=users,dc=USER,dc=GUIDE
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
cn: user name
sn: user name
uid: user name
uidNumber: 30001
gidNumber: 30001
homeDirectory: /home/user name
loginShell: /bin/bash
userPassword: ${HASH_USER_PW}
EOF

ldapadd \
  -H ldap://localhost:389 \
  -D "cn=root,dc=USER,dc=GUIDE" \
  -w "Kerberos_password" \
  -f "$ldif"

  2. Add the user to the group.

    ldif=/tmp/modify-group.ldif

cat <<EOF | tee $ldif
dn: cn=group name,ou=groups,dc=USER,dc=GUIDE
changetype: modify
add: memberUid
memberUid: user name
EOF

ldapmodify \
  -H ldap://localhost:389 \
  -D "cn=root,dc=USER,dc=GUIDE" \
  -w "Kerberos_password" \
  -f "$ldif"

  3. Check the user.

    ldapsearch \
  -H ldap://localhost:389 \
  -D "cn=root,dc=USER,dc=GUIDE" \
  -w "Kerberos_password" \
  -b "dc=USER,dc=GUIDE" \
  "(uid=user name)"

  4. Change the user's password.

    ldif=/tmp/modify-account.ldif
HASH_USER_PW=$(slappasswd -h "{SSHA}" -s "new_password")

cat <<EOF | tee $ldif
dn: uid=account name,ou=users,dc=USER,dc=GUIDE
changetype: modify
replace: userPassword
userPassword: ${HASH_USER_PW}
EOF

ldapmodify \
  -H ldap://localhost:389 \
  -D "cn=root,dc=USER,dc=GUIDE" \
  -w "Kerberos_password" \
  -f "$ldif"

  5. Delete the user.

    ldapdelete \
  -H ldap://localhost:389 \
  -D "cn=root,dc=USER,dc=GUIDE" \
  -w "Kerberos_password" \
  "uid=account name,ou=users,dc=USER,dc=GUIDE"