Using a Custom Kerberos Keytab Retrieval Script

The Cloudera Manager Kerberos setup procedure requires you to create an administrator account for the Cloudera Manager user. Cloudera Manager will then connect to your KDC and use this admin account to generate principals and keytabs for the remaining CDH services. If for some reason, you cannot create a Cloudera Manager administrator account on your KDC with the privileges to create other principals and keytabs for CDH services, then these will need to be created manually.

Cloudera Manager gives you the option to use a custom script to retrieve keytabs from the local filesystem. To use a custom Kerberos keytab retrieval script:
  1. The KDC administrators should create the required principals and keytabs, and store them securely on the Cloudera Manager Server host.
  2. Create the keytab retrieval script. Your script should take two arguments: a full principal name for which it should retrieve a keytab, and a destination to which it can write the keytab. The script must be executable by the Cloudera Manager admin user, cloudera-scm. Depending on the principal name input by Cloudera Manager, the script should locate the corresponding keytab on the Cloudera Manager Server host (stored in step 1), and copy it into a location accessible to the cloudera-scm user. Here is a simple example:
    #!/bin/bash
    
    # Cloudera Manager will input a destination path
    DEST="$1"
    
    # Cloudera Manager will input the principal name in the format: <service>/<fqdn>@REALM
    PRINC="$2"
    
    # Assuming the '<service>_<fqdn>@REALM.keytab' naming convention for keytab files
    IN=$(echo $PRINC | sed -e 's/\//_/')
    SRC="/keytabs/${IN}.keytab"
    
    # Copy the keytab to the destination input by Cloudera Manager
    cp -v $SRC $DEST

    Note that the script will change according to the keytab naming convention followed by your organization.

  3. Configure the location for the script in Cloudera Manager:
    1. Go to the Cloudera Manager Admin console.
    2. Select Administration > Settings.
    3. Select Category > Kerberos.
    4. Locate the Custom Kerberos Keytab Retrieval Script and set it to point to the script created in step 2.
    5. Click Save Changes.
  4. Once the Custom Kerberos Keytab Retrieval Script property is set, whenever Cloudera Manager needs a keytab, it will ignore all other Kerberos configuration and run the keytab retrieval script to copy the required keytab to the desired destination.
  5. Cloudera Manager can now distribute the keytab to the services that need access to it.