Last active
December 9, 2020 06:17
-
-
Save gaborgsomogyi/c636f352ccec7730ff41ac1d524cb87d to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Configure kerberos on all nodes: | |
| $ cat /etc/krb5.conf | |
| [logging] | |
| default = FILE:/var/log/krb5libs.log | |
| kdc = FILE:/var/log/krb5kdc.log | |
| admin_server = FILE:/var/log/kadmind.log | |
| [libdefaults] | |
| renew_lifetime = 90m | |
| default_realm = DT1GCE.CLOUDERA.COM | |
| dns_lookup_realm = false | |
| dns_lookup_kdc = false | |
| ticket_lifetime = 25m | |
| forwardable = yes | |
| allow_weak_crypto = true | |
| [realms] | |
| DT1GCE.CLOUDERA.COM = { | |
| kdc = gsomogyi-cdh6x-secure-dt1-1.gce.cloudera.com:88 | |
| admin_server = gsomogyi-cdh6x-secure-dt1-1.gce.cloudera.com:749 | |
| default_domain = gce.cloudera.com | |
| } | |
| DT2GCE.CLOUDERA.COM = { | |
| kdc = gsomogyi-cdh6x-secure-dt2-1.gce.cloudera.com:88 | |
| admin_server = gsomogyi-cdh6x-secure-dt2-1.gce.cloudera.com:749 | |
| default_domain = gce.cloudera.com | |
| } | |
| [domain_realm] | |
| gsomogyi-cdh6x-secure-dt1-1.gce.cloudera.com = DT1GCE.CLOUDERA.COM | |
| gsomogyi-cdh6x-secure-dt1-2.gce.cloudera.com = DT1GCE.CLOUDERA.COM | |
| gsomogyi-cdh6x-secure-dt1-3.gce.cloudera.com = DT1GCE.CLOUDERA.COM | |
| gsomogyi-cdh6x-secure-dt1-4.gce.cloudera.com = DT1GCE.CLOUDERA.COM | |
| gsomogyi-cdh6x-secure-dt2-1.gce.cloudera.com = DT2GCE.CLOUDERA.COM | |
| gsomogyi-cdh6x-secure-dt2-2.gce.cloudera.com = DT2GCE.CLOUDERA.COM | |
| gsomogyi-cdh6x-secure-dt2-3.gce.cloudera.com = DT2GCE.CLOUDERA.COM | |
| gsomogyi-cdh6x-secure-dt2-4.gce.cloudera.com = DT2GCE.CLOUDERA.COM | |
| On `DT1GCE.CLOUDERA.COM` side: | |
| * Check the users | |
| $ sudo kadmin.local | |
| kadmin.local: listprincs krbtgt* | |
| krbtgt/[email protected] | |
| krbtgt/[email protected] | |
| krbtgt/[email protected] | |
| If user is missing add them with the same password: | |
| kadmin.local: addprinc -pw cloudera krbtgt/[email protected] | |
| * Put this into Kafka server.properties: | |
| sasl.kerberos.principal.to.local.rules=RULE:[1:$1@$0](.*@DT2GCE.CLOUDERA.COM)s/@.*//,DEFAULT | |
| Do similar things on `DT2GCE.CLOUDERA.COM` side. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment