Skip to main content
Pentaho Documentation

Set Up Kerberos for Pentaho

Overview

Instructions for setting up Kerberos on Pentaho computers that will connect to Big Data clusters.

How you set up Kerberos on a machine that the Pentaho Server can access to connect to Big Data clusters depends on your operating system.

Configure Kerberos on Linux

To configure Linux computers, complete these tasks.

Install JCE

The KDC configuration includes an AES-256 encryption setting. If you want to use this encryption strength, you must install the Java Cryptographic Extension (JCE) files. Perform the following steps to install JCE:

  1. Download the Java Cryptographic Extension (JCE) for the currently supported version of Java from the Oracle site.

  2. Install JCE using the included instructions.
  3. Copy the JCE jar files to the java/lib/security directory where PDI is installed on the Linux machine.

Modify the Kerberos Configuration File

Perform the following steps to modify your Kerberos configuration file:

  1. Open the krb5.conf file with any text editor. The default location is the /etc directory.

  2. Add your realm, KDC, and Admin Server information as shown in the following example:
    [libdefaults]
           default_realm = <YOUR_REALM.COM>
    ...
    
    [realms]
    <YOUR_REALM.COM>= {
    kdc=<KDC IP Address, or resolvable Hostname>
    admin_server=<Admin Server IP Address, or resolvable Hostname>
    ...
    }
    [domain_realm]
    <.your_realm.com> = <YOUR_REALM.COM>
    <your_realm.com> = <YOUR_REALM.COM>
    
  3. Save and close the configuration file.
  4. Restart the computer.

Synchronize Clocks

Synchronize the clock on the Linux client with the clock on the Hadoop cluster. If the timestamp on the client requests differs too much from the clock on the cluster, Kerberos will not authenticate the user. Consult your operating system's documentation for information on setting your systems clock.

Obtain Kerberos Ticket

To obtain a Kerberos ticket, complete these steps.

  1. Open a Terminal window and type kinit at the prompt.
  2. Enter a password when prompted.
  3. Make sure that the Kerberos ticket was granted by typing klist at the prompt. The authentication information should appear.

Configure Kerberos for Windows

To configure Kerberos Windows computers, complete these tasks.

Install JCE

The KDC configuration includes an AES-256 encryption setting. If you want to use this encryption strength, you must install the Java Cryptographic Extension (JCE) files. Perform the following steps to install JCE:

  1. Download the Java Cryptographic Extension (JCE) for the currently supported version of Java from the Oracle site.

  2. Follow the installation instructions that are included with the download.
  3. Copy the JCE jar files to the java\lib\security directory where PDI is installed.

Download and Install Kerberos

Download and install a Kerberos server. We recommend that you use the Heimdal implementation of Kerberos, which can be found here: https://www.secure-endpoints.com/heimdal/.

Modify the Kerberos Configuration File

Perform the following steps to modify your Kerberos configuration file:

  1. Open the krb5.conf file with any text editor. The default location is the C:\ProgramData\Kerberos directory.

  2. Add your realm, KDC, and Admin Server information as shown in the following example:
[libdefaults]
       default_realm = <YOUR_REALM.COM>
...

[realms]
<YOUR_REALM.COM>= {
kdc=<KDC IP Address, or resolvable Hostname>
admin_server=<Admin Server IP Address, or resolvable Hostname>
...
}
[domain_realm]
<.your_realm.com> = <YOUR_REALM.COM>
<your_realm.com> = <YOUR_REALM.COM>
  1. Save and close the configuration file.
  2. Make a copy of the configuration file and place it in the c:\Windows directory. Rename the file krb5.ini.
  3. Restart the computer.

Synchronize Clocks

Synchronize the clock on the Windows client with the clock on the Hadoop cluster. If the timestamp on the client requests differs too much from the clock on the cluster, Kerberos will not authenticate the user. Consult your operating system's documentation for information on setting your systems clock. The times on the Windows clock and the Hadoop cluster clock must not be greater than the range you entered for the clockskew variable in krb5.conf file. Consult your operating system's documentation for information on setting your systems clock.

Obtain Kerberos Ticket

To obtain a Kerberos ticket, complete these steps.

  1. Open a Command Prompt window and type kinit at the prompt.
  2. Enter a password when prompted.
  3. Make sure that the Kerberos ticket was granted by typing klist at the prompt. The authentication information should appear.

If you are using the Heimdal version of Kerberos, the klist command output should not have the "Current LoginId is ..." prompt.

Set Up User Accounts and Network Access (All OS)

Ensure that user accounts and network access has been granted.  Specific tasks include:

  • Ensure the ports you plan to use are open between the cluster and computers running Pentaho components, like the Pentaho Server, Spoon, PRD, and PME.
  • Make sure each server can use a hostname to access each computer on the cluster. Test to ensure that IP addresses resolve to hostnames using both forward and reverse lookups.
  • Add user account credentials for each Pentaho user needing access to the cluster through the Kerberos database. 
  • Make sure the UID and GID for the user that you are running your jobs as on the matches the user UID and GID of that user for every computer of the cluster.

Next Step

Continue with the configuration process: